Slashdot Mirror
Intel Hit With More Than 30 Lawsuits Over Security Flaws (reuters.com)
Intel said on Friday shareholders and customers had filed 32 class action lawsuits against the company in connection with recently-disclosed security flaws in its microchips. From a report: Most of the lawsuits -- 30 -- are customer class action cases that claim that users were harmed by Intel's "actions and/or omissions" related to the flaws, which could allow hackers to steal data from computers. Intel said in a regulatory filing it was not able to estimate the potential losses that may arise out of the lawsuits. Security researchers at the start of January publicized two flaws, dubbed Spectre and Meltdown, that affected nearly every modern computing device containing chips from Intel, Advanced Micro Devices and ARM.
... nicer company. Carry on.
AMD, ARM, and whoever else? Are they getting sued too? Or is the strategy here just 'attack the biggest target'?
I can't wait to get my $3 !!
I'm pretty sure Intel never made promises that it was a highly secure chip. They mainly market on power and performance.
“Common sense is not so common.” — Voltaire
I'm sure everyone reading this already knows the obvious, but AMD is not affected by Meltdown in any capacity. Please do not encourage the spread of this misinfo. It is important to understand what processors are safe and what processors are affected by Meltdown and Specter's 2 variants.
https://www.networkworld.com/article/3246707/data-center/meltdown-and-spectre-how-much-are-arm-and-amd-exposed.html
Warning: Should a future vulnerability be discovered in this technology--which is almost certainly incomprehensible to you anyway and may as well be considered "magic"--corrective updates may impact advertised performance.
The Daddy casts sleep on the Baby. The Baby resists!
30 sounds low. Throw the book at 'em!
Table-ized A.I.
Mistake 1: A major engineering design flaw.
Mistake 2: Neglected to force their users to enter into a binding arbitration agreement before using the CPUs.
Change log:
2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode with me_cleaner, Blackhat Dec 2017 Intel ME presentation, Intel ME CVEs (CVSS Scored 7.2-10.0)
Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.
What we know about Intel CPU backdoors so far:
TL;DR version
Your Intel CPU and Chipset is running a backdoor as we speak.
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.
30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".
"We can permanently monitor the keyboard buffer on both operating system targets."
Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.
If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).
Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.
2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode, use me_cleaner with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit.
Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented HAP mode (NSA High Assurance Platform mode)
me_cleaner: Set HAP AltMeDisable bit with -S option
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
EFF: Intel's Management Engine is a security hazard, and users need a way to disable it
Sakaki's EFI Install Guide/Disabling the Intel Management Engine
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
CVE-2017-5689: An unprivileged network attacker could ga
Don't fall for Intel's PR tactics.
Meltdown is much worse than Spectre and Meltdown is an Intel only flaw.
No purchases until hardware fix.
Lovely bug that can't be fixed by microcode. Millions of flawed CPUs out there. What's the technology that pushes native code to run in web browsers called again? Can't wait for that clusterfuck to happen.
Will they have to actually demonstrate a material loss resulting from a security breach associated with the flaw, including some kind of material proof that the flaw was actually the cause of the breach?
I'm kind of guessing time spent running around and patching probably isn't something they can sue for, otherwise MS would have been out of business ages ago on this item.
And what do they actually hope to get out of it? New CPUs not compatible with their existing motherboards? A cash payment based on the pro-rated cost of the microprocessor itself based on remaining life cycle?
I can see the obvious desire to rake Intel over the coals and perhaps they deserve some of it, I just don't get how you can link any specific loss to this chip flaw, or if you can, it's extremely hard to prove.
I'm also curious if there's not some general defense for Intel along the lines of "running a computing infrastructure involves dealing with bugs and flaws in hardware and software, problems will arise".
but setting the precedent that you're liable if your product is vulnerable to exploit techniques that are invented after the product ships would be very dangerous for the entire industry.
Fuck off, make dangerously broken shit and you need to do a recall, just like the auto industry.
I already know I don't have it in me to take Intel to court, but I'm pretty peeved since I bought an i5-7500 right before this stuff was announced (and you can't return processors anywhere). It knocked about 5% off the performance and I would have waited until the next gen stuff was out this year or next (or bought a Ryzen) if I'd known.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
They were selling processors with known security flaws for six months without disclosing that information. They should have to make good with the people that they screwed over.
I mean, thinking this all through, it seems to be a frivolous exercise without some massive shift.
Intel grossed over $60 billion in FY 2016. Even if each of these lawsuits requires Intel to pay $1 billion, and all of them are won, it's less than six months of revenue for them - not fun, but not the corporate equivalent of $150,000 in individual medical debt, either. Intel has enough in the bank to ride the storm, and simply bump up CPU prices by another 15% until the costs are paid...and then leave the prices there.
In a perfect world, this would give AMD the golden opportunity to pick up the slack. The Ryzen line of processors has been met with a whole lot of favorable press; they could easily take over the i3/i5/i7 desktop/laptop markets from a performance perspective. However, AMD has spent the last decade scraping the bottom of the barrel with their A10 processors and similar, low performance CPUs that are almost synonymous with the sub-$400 laptop market, and the hatred that people associate with Windows machines. Even if the shelves at Best Buy became 50/50 between AMD and Intel (as opposed to right now, when there are more Xeon-based laptops available than Ryzen 5 and Ryzen 7 combined), it's going to take consumers quite a while to realize that AMD makes high end processors, too. Intel sales take a dip, sure, but I don't see AMD managing to truly eat at Intel's market in a way that leaves a lasting impact.
The server room is still Intel's. Dell, HP, and Lenovo have dabbled in a few AMD-based machines (I've got a pair of Opteron-based R415's running as routers myself), but will AMD having misstepped with the Bulldozer architecture and certain server applications being all "we only support Intel", I don't see AMD making massive inroads there either. This is compounded by the likelihood that Dell ordering 0.8X Xeon processors from last year and making up the slack with newer Opterons is going to inevitably involve a higher per-processor price, making their servers more expensive, meaning that if Lenovo keeps their orders up, they will be cost favorable, leaving Dell less able to compete on price unless sysadmins really do start ordering AMD-based servers for their racks.
Now, the one player that really could make a dent would be Samsung - there's not a laptop component they don't make except the processor at this point, so retooling their Exynos chip fabs to make an x86 processor that can compete with an i3 and deliver an end-to-end, single-manufacturer laptop or desktop is in the cards for them, certainly more so than any other manufacturer. If they can pitch one running Android and avoid a Windows license, even better. Even so, it's risky for Samsung, and although they can eat a pretty big loss, trying to capitalize on Intel while they are down and hoping that consumers end up buying a laptop sporting a CPU from relative newcomer is not the kind of gamble that risk-averse execs are likely to go full force on.
In summary, Intel CPU processors will rise, AMD may well be capable of meeting demand but OEMs, retailers, sysadmins, and consumers are going to be a bit skittish about giving AMD a shot when Intel is a known quantity, and while Samsung could probably kick 'em while they're down, it's highly debatable that they will do so. In the end, Intel is likely to just raise prices and the world continues as normal.
try that in America where we do Jury trials for a lot of these sorts of things and it'll blow up in your face. The rest of the world that might work though.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I want to be a Russian! There isn't anything those heroic, chisel-jawed Slavic comrades can't do. They can materially affect the outcome of US elections with $87 and 1000 posts on social media. They can infiltrate yer softwares at will. They are truly supermen.
Zhaoxin launches their highest-performance Chinese x86 chips
China has taken a major step forward in its quest for high-performance domestic Chinese microprocessors with Zhaoxin's launch of their newest x86 processors.
In case you've never heard about Zhaoxin, they are a Chinese microprocessor designer that has been working on developing a domestic x86 CPU microarchitecture. Being partially owned by VIA Technologies most likely means they are covered by VIA's x86 cross-license agreement, although VIA refused to confirm this when we asked. The 2010 FTC settlement required Intel to modify agreements with AMD, Nvidia, and Via to allow them to undergo mergers and joint ventures with other companies without the threat of being sued for patent infringement. Zhaoxin is majority owned (80.1%) by the Shanghai Municipal Government and the push for domestic x86 chips comes as part of their national security initiative which calls for the reduction in reliance on foreign products and greater control over their own intellectual property (i.e., the hardware in this case).
5th Generation KaiXian
On December 28 at a conference dedicated for independently-developed domestic Chinese CPUs, Zhaoxin officially launched their 5th generation KaiXian processors. Fabricated domestically on HLMC's 28nm process based on the WuDaoKou microarchitecture, those processors represent a significant step forward.
Zhaoxin announced two new series based on their latest architecture: KaiXian 5000 (KX-5000) and the KaisHeng 20000 (KH-20000). Note that "KaiXian"/"KX" is exactly the same family as the previously named "Zhaoxin KaiXian"/"ZX". The slight renaming was done to distinguish prior VIA Technologies architecture from Zhaoxin mostly domestically developed architecture.
That article contains errors. In particular, the article claims that AMD processors are "potentially vulnerable to only one of the three variants of Meltdown". This is incorrect for two reasons.
(1) There is only one "variant" of Meltdown. Presumably, the author mistakenly considers Spectre Variant 1 and Spectre Variant 2 to be "variants" of Meltdown.
Or he's a moron
However, AMD has spent the last decade scraping the bottom of the barrel with their A10 processors and similar, low performance CPUs that are almost synonymous with the sub-$400 laptop market, and the hatred that people associate with Windows machines. Even if the shelves at Best Buy became 50/50 between AMD and Intel (as opposed to right now, when there are more Xeon-based laptops available than Ryzen 5 and Ryzen 7 combined), it's going to take consumers quite a while to realize that AMD makes high end processors, too. Intel sales take a dip, sure, but I don't see AMD managing to truly eat at Intel's market in a way that leaves a lasting impact.
LOL you're a fucking moron, 10 years ago the world didn't run on social media, now news travel fast, very fast.
AMD is killing Intel in performance and prices, that's what the customers see, not what AMD fucking released 10 years ago.
You think like a moron, stop thinking with Intel's dick in your mouth.
The ambulance chasers are having fun.
Numerous combinations of CPU instructions might turn out to not do what you wanted them to do, if you wanted a different thing than what they physically do! That has nothing even to do with Intel.
Look up Pentium's FDIV bug.
The i9 7940X, 7960X and 7980X should not have been released last year or if released only with a disclosure of vulnerability.
The Intel CEO wouldn't be able to dump his stock at high prices.
Stop it's ability to send info. outward via router port filtering ports 16992-16995 + 623-625 Intel AMT/ME uses in a modem/router external to OS/PC.
Intel ME/AMT operates from your motherboard but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software like the unistaller for it & DisableAMT.exe + the test in usermode via Intel-SA-00075-GUI.exe to TRIPLE CHECK)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" too (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones don't)!
Especially after this finding: Intel Management Engine pwned by buffer overflow vendor patches for the vulnerability may not be enough http://www.theregister.co.uk/2017/12/06/intel_management_engine_pwned_by_buffer_overflow/ & Marcus Hutchin's "magic bit" patch doesn't help vs. this either.
APK
P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk
Speculative execution (security problem by arbitrary elevation of ring 3 --user application-- to ring 0 --operating system kernel--) is done exclusively by Intel. Branch prediction was over 95% effective on pentium series processors, and since its so good lets pre-compute the 'winning' side several hundred instructions in... and they escalated priveledges to do it. And got a performance gain, so long as security isn't affected, and it theoretically wasn't til now. And so we all suffer a 1.5% performance hit to fix the hole. As for reading the TLB. The translation lookaside buffer is a special kind of stack, used as an index. Imagine programs in the pipeline. They get context switched every 4000-5000 clock cycles. The computer is a dumb box full of electric circuits and it doesn't know where anything is... and its just like an undergrad reading a college textbook. You find a word you don't understand, so you mark your page, flip to the back, look in the alphabetical index, find out the meaning of the word, and move on. Only here the index is added to when a new program is started. As more programs are started, older entries are pushed down. When it needs to find something, it looks in the index, which can find any entry in a few clock cycles (in theory one, but there are 3 levels of index: fast, medium, slow). When it finds what it needs, it pulls it out, pushes everything above it down one, and puts what it found back on top. When the index is full, stuff falls off the bottom, which is like a freshman who can't find the word in the index, you have to search the whole book (search all of memory)... page 1, page 2, page 3.... if it can't find it, it coughs up an error. Back to security: reading the TLB might not be the keys to the kingdom, but it sure as heck is a map to the whole kingdom! AMD gets hit with this one too. Workarounds and more security regarding access to the TLB are ongoing. The Linux developers had a security mechanism called "Full Unloading Complete Kernel With Indexed Trampolines". Their contempt for the hardware developers can be seen by abbreviating their workaround.
We pay top dollar for performance and now the hardware providers solution to these vulnerabilities is to steal back performance. I think a partial refund of the purchase price is the only solution. How would a car enthusiast react if they purchased a Dodge Hellcat for example and six months in Dodge informs them they have to detune the motor so it performs like a typical sedan because itâ(TM)s doesnâ(TM)t pass smog. There is no difference here. They should refund the difference between the hellcat and the sedan.
1) Remove ALL supervisor code and all credential information from user process's virtual memory
2) All user mode I/O and supervisor calls are re-implemented as message passing functions with read-only user mode
driver code in the client process and separate supervisor state driver code that only exists in the supervisor process
3) The supervisor and I/O drivers run on a separate CPU core from user code
4) If the supervisor and I/O drivers are idle flush the CPU L1 cache before running any user process on the
Supervisor CPU
5) The ONLY shared memory between a user process and the supervisor are the I/O buffers pages for open user
process I/O devices
6) User processes CANNOT load code, ALL code is marked execute-only/read-only
7) Fuzz the result of calls to get high resolution timer values to 100us resolution with a random value for
us and ns values only trusted applications can access higher resolution timers
8) Trap all speculative access to out of bounds locations. Instead of allowing a process to continue if the
condition is not met, disable the process and force manual intervention to re-enable the process until developers
fix their bugs. Force the result of a speculative load of an invalid address to be zero in all cases.
You're welcome. I wish I could come up w/ something as effective vs. the Intel Spectre/Meltdown issue though.
APK
P.S.=> "Onwards & UPWARDS"... apk