Slashdot Mirror
Intel Hit With More Than 30 Lawsuits Over Security Flaws (reuters.com)
Intel said on Friday shareholders and customers had filed 32 class action lawsuits against the company in connection with recently-disclosed security flaws in its microchips. From a report: Most of the lawsuits -- 30 -- are customer class action cases that claim that users were harmed by Intel's "actions and/or omissions" related to the flaws, which could allow hackers to steal data from computers. Intel said in a regulatory filing it was not able to estimate the potential losses that may arise out of the lawsuits. Security researchers at the start of January publicized two flaws, dubbed Spectre and Meltdown, that affected nearly every modern computing device containing chips from Intel, Advanced Micro Devices and ARM.
I can't wait to get my $3 !!
I'm pretty sure Intel never made promises that it was a highly secure chip. They mainly market on power and performance.
“Common sense is not so common.” — Voltaire
I'm sure everyone reading this already knows the obvious, but AMD is not affected by Meltdown in any capacity. Please do not encourage the spread of this misinfo. It is important to understand what processors are safe and what processors are affected by Meltdown and Specter's 2 variants.
https://www.networkworld.com/article/3246707/data-center/meltdown-and-spectre-how-much-are-arm-and-amd-exposed.html
Warning: Should a future vulnerability be discovered in this technology--which is almost certainly incomprehensible to you anyway and may as well be considered "magic"--corrective updates may impact advertised performance.
The Daddy casts sleep on the Baby. The Baby resists!
30 sounds low. Throw the book at 'em!
Table-ized A.I.
Mistake 1: A major engineering design flaw.
Mistake 2: Neglected to force their users to enter into a binding arbitration agreement before using the CPUs.
Change log:
2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode with me_cleaner, Blackhat Dec 2017 Intel ME presentation, Intel ME CVEs (CVSS Scored 7.2-10.0)
Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.
What we know about Intel CPU backdoors so far:
TL;DR version
Your Intel CPU and Chipset is running a backdoor as we speak.
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.
30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".
"We can permanently monitor the keyboard buffer on both operating system targets."
Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.
If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).
Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.
2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode, use me_cleaner with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit.
Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented HAP mode (NSA High Assurance Platform mode)
me_cleaner: Set HAP AltMeDisable bit with -S option
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
EFF: Intel's Management Engine is a security hazard, and users need a way to disable it
Sakaki's EFI Install Guide/Disabling the Intel Management Engine
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
CVE-2017-5689: An unprivileged network attacker could ga
Meltdown which is the worst of all and was probably done on purpose to cheat in benchmarks only hits Intel.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
Don't fall for Intel's PR tactics.
Meltdown is much worse than Spectre and Meltdown is an Intel only flaw.
No purchases until hardware fix.
No it doesn't. Read again.
The summary is fucking wrong, and the writer of it probably got paid by Intel.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
Lovely bug that can't be fixed by microcode. Millions of flawed CPUs out there. What's the technology that pushes native code to run in web browsers called again? Can't wait for that clusterfuck to happen.
It isn't Intel only, ARM's Cortex A75 was vulnerable. The A75 chip is the only high-end core designed by ARM since the patent on the technique that turns out to be vulnerable to Meltdown expired. Intel helpfully (in retrospect) protected the industry by patenting it and not including it in any of their cross-licensing agreements, preventing anyone else from being vulnerable. The technique improved system call performance, so if you regard making system calls faster, then I suppose it was for cheating at benchmarks.
I'm quite nervous about these lawsuits, because Intel looks like a really attractive target at the moment (and I certainly wouldn't cry about them losing some money), but setting the precedent that you're liable if your product is vulnerable to exploit techniques that are invented after the product ships would be very dangerous for the entire industry. If you set that precedent, then even formal verification isn't enough, because formal verification only lets you prove correctness with regards to properties that you enumerate.
I am TheRaven on Soylent News
Will they have to actually demonstrate a material loss resulting from a security breach associated with the flaw, including some kind of material proof that the flaw was actually the cause of the breach?
I'm kind of guessing time spent running around and patching probably isn't something they can sue for, otherwise MS would have been out of business ages ago on this item.
And what do they actually hope to get out of it? New CPUs not compatible with their existing motherboards? A cash payment based on the pro-rated cost of the microprocessor itself based on remaining life cycle?
I can see the obvious desire to rake Intel over the coals and perhaps they deserve some of it, I just don't get how you can link any specific loss to this chip flaw, or if you can, it's extremely hard to prove.
I'm also curious if there's not some general defense for Intel along the lines of "running a computing infrastructure involves dealing with bugs and flaws in hardware and software, problems will arise".
but setting the precedent that you're liable if your product is vulnerable to exploit techniques that are invented after the product ships would be very dangerous for the entire industry.
Fuck off, make dangerously broken shit and you need to do a recall, just like the auto industry.
I already know I don't have it in me to take Intel to court, but I'm pretty peeved since I bought an i5-7500 right before this stuff was announced (and you can't return processors anywhere). It knocked about 5% off the performance and I would have waited until the next gen stuff was out this year or next (or bought a Ryzen) if I'd known.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I mean, thinking this all through, it seems to be a frivolous exercise without some massive shift.
Intel grossed over $60 billion in FY 2016. Even if each of these lawsuits requires Intel to pay $1 billion, and all of them are won, it's less than six months of revenue for them - not fun, but not the corporate equivalent of $150,000 in individual medical debt, either. Intel has enough in the bank to ride the storm, and simply bump up CPU prices by another 15% until the costs are paid...and then leave the prices there.
In a perfect world, this would give AMD the golden opportunity to pick up the slack. The Ryzen line of processors has been met with a whole lot of favorable press; they could easily take over the i3/i5/i7 desktop/laptop markets from a performance perspective. However, AMD has spent the last decade scraping the bottom of the barrel with their A10 processors and similar, low performance CPUs that are almost synonymous with the sub-$400 laptop market, and the hatred that people associate with Windows machines. Even if the shelves at Best Buy became 50/50 between AMD and Intel (as opposed to right now, when there are more Xeon-based laptops available than Ryzen 5 and Ryzen 7 combined), it's going to take consumers quite a while to realize that AMD makes high end processors, too. Intel sales take a dip, sure, but I don't see AMD managing to truly eat at Intel's market in a way that leaves a lasting impact.
The server room is still Intel's. Dell, HP, and Lenovo have dabbled in a few AMD-based machines (I've got a pair of Opteron-based R415's running as routers myself), but will AMD having misstepped with the Bulldozer architecture and certain server applications being all "we only support Intel", I don't see AMD making massive inroads there either. This is compounded by the likelihood that Dell ordering 0.8X Xeon processors from last year and making up the slack with newer Opterons is going to inevitably involve a higher per-processor price, making their servers more expensive, meaning that if Lenovo keeps their orders up, they will be cost favorable, leaving Dell less able to compete on price unless sysadmins really do start ordering AMD-based servers for their racks.
Now, the one player that really could make a dent would be Samsung - there's not a laptop component they don't make except the processor at this point, so retooling their Exynos chip fabs to make an x86 processor that can compete with an i3 and deliver an end-to-end, single-manufacturer laptop or desktop is in the cards for them, certainly more so than any other manufacturer. If they can pitch one running Android and avoid a Windows license, even better. Even so, it's risky for Samsung, and although they can eat a pretty big loss, trying to capitalize on Intel while they are down and hoping that consumers end up buying a laptop sporting a CPU from relative newcomer is not the kind of gamble that risk-averse execs are likely to go full force on.
In summary, Intel CPU processors will rise, AMD may well be capable of meeting demand but OEMs, retailers, sysadmins, and consumers are going to be a bit skittish about giving AMD a shot when Intel is a known quantity, and while Samsung could probably kick 'em while they're down, it's highly debatable that they will do so. In the end, Intel is likely to just raise prices and the world continues as normal.
try that in America where we do Jury trials for a lot of these sorts of things and it'll blow up in your face. The rest of the world that might work though.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
The summary is how Intel wants this communicated so that they can spread the blame more.
Intel not only made dangerously broken CPUs which had been predicted to be dangerously broken (without a definite exploit) before they were designed, but if they didn't already know about how to exploit it, they were informed at least 6 months before the public notice, and appear to have taken no steps to mitigate the problem prior to public notice. We can't really know, but the patches that they rushed out after notice was made public were so poor that they probably hadn't done anything.
Etc.
I'm willing for Intel to prove that they were acting in a reasonable and ethical manner, but the preponderance of the evidence seems against that assumption.
I think we've pushed this "anyone can grow up to be president" thing too far.
My personal opinion is that they are liable for replacing every CPU they sold after they were aware of this problem without disclosing it. I don't fault them for selling CPUs when they were not aware. The i9 7940X, 7960X and 7980X should not have been released last year or if released only with a disclosure of vulnerability.
and was probably done on purpose
Yes because optimising code paths exist only to cheat benchmarks.
Some people have really lost their grip on reality. Are you by any chance that crazy person who's trying to launch himself into the sky on a steampunk rocket?
The summary is fucking wrong
It is nothing of the sort. Spectre affects most CPUs including AMD, Meltdown affects most CPUs *except* for AMD. Just because AMD did something right doesn't mean that there aren't examples of SPARC, ARM, and multiple lines of Power chips affected too.
Painting this as Intel only is just as absurd as lumping AMD together with Intel when discussing 2 separate flaws.
(yes, i know, if you google "specter proof of concept" you will find things, but what you will find is a proof of concept for meltdown called a proof of concept of specter. Some code-faggot got PAID to conflate the two, not to mention the scholastic-fag who wrote the scholarly paper conflating the two he refers to).
Meltdown is intel only.... but don't worry. If you're running Intel, you're PWNT by IME/AMT anyway.
Specter is a different threat, conflated with Meltdown because it benefits Intel PR. All CPUs are vulnerable to Specter, but according to AMD, real-world use of the vulnerability is nearly impossible, and mitigation of the vulnerability is actually impossible. I don't know about you, but I trust AMD more than the guy pointing saying "Hey, him too!"
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
Meltdown is intel only
Yes which is why IBM, Broadcom, ARM and Oracle have issued statements about how they are affected by meltdown, or in Oracle's case they published a list of processors not affected ... a very short list and said nothing more.
AMD is not vulerable to meltdown. That doesn't mean it's Intel only. The bug is related to a specific optimisation that is used in a variety of architectures.
When you post things like this, log in first unless you really ARE a coward.
Dog is my co-pilot.
MIGHT have been done to make benchmarks better but without the realization that it exposed a vulnerability. Often engineering projects are success-oriented, and once the chip was running all of the tests and benchmarks and the performance was good, that may have been as hard as anybody looked. You need to have people whose job it is to break all such new products, but that both costs more and delays the time to market, and executives rarely want either.
Dog is my co-pilot.
LOL you're a fucking moron, 10 years ago the world didn't run on social media, now news travel fast, very fast.
AMD is killing Intel in performance and prices, that's what the customers see, not what AMD fucking released 10 years ago.
You think like a moron, stop thinking with Intel's dick in your mouth.
Normally I would just ignore the AC who can't spell my name right...
We agree that AMD's mainline CPUs are at least equivalent, if not superior, to Intel's offerings. The issue isn't that AMD had very low end processors a decade ago, but that AMD's low end processors have been the most readily accessible to customers for the past decade. The brief time when AMD beat Intel to 64-bit desktop CPUs with the Athlon64 line was the last time, to my recollection, that midrange machines sporting both Intel and AMD shared shelf space side by side in most computer retailers. Since about the Core 2 Duo/Quad era, it's been rare to see a midrange or high end laptop or desktop with an AMD processor; it's the sub-$400 machine space where AMD has been hanging out for a very long time.
Now yes, people like you and I know better. My last two NAS builds, along with my homebrew cable box, are all FX-6300 based (as are three others I built for friends and clients). My original post indicates that I've got a pair of Opteron-based Poweredge servers functioning as routers. I've personally bought more AMD processors than Intel processors, because they deliver solid performance at a good price (and are a good fit for FreeNAS because they support ECC RAM at 1/3 the price of a Xeon).
Go to Bestbuy.com and filter laptops by Ryzen5 and Ryzen7 processors. In my region there were precisely two options available. There were three laptops listed with Xeon processors. Over a hundred each for i3's and i5's. 3/4 of the other AMD laptops were in the under-$500 range, with three under $300. Now, you can argue that I'm a moron for using Bestbuy.com as my baseline because everyone shops at Amazon, but I don't have that kind of time and there are still plenty of people unlikely to buy a laptop sight unseen.
This leaves us with the custom build market for the more powerful CPUs to reside, but in my experience, that's still a bit of a crapshoot. It's dumb to recommend AMD wholesale when someone going to Costco is likely to get one of the lower end CPUs in the box, rather than the nicer processors you and I both know they make. There are still some people who are willing to have their machines custom built, but it's a relatively small market that is far less likely to get the sort of social media traction that would be able to stem a decade's worth of inertia.
Even if this ends up being AMD's time to shine and they're able to muscle their way past all of this, Intel can either reduce prices provisionally or can pull some 90's Microsoft back door deals to ensure more prominent advertising and similar, bringing it all back to status quo.
I'm not an Intel shill, but I've watched far BP and Bank of America and Equifax pay virtually no consequences for their poor actions. I do not put it past Intel to do anything different.
Meltdown which is the worst of all
That remains to be seen. Meltdown is a big problem if unpatched. However, patches are available, and they appear to work.
Spectre is harder to exploit, but also harder to mitigate. Nobody has fully patched Spectre; the in-flight 4.16 Linux kernel has only the beginning of Spectre patches, and the situation isn't any better with other OSes.
Spectre, unlike Meltdown, will haunt for years to come.
-- Sometimes you have to turn the lights off in order to see.
Intel not only made dangerously broken CPUs which had been predicted to be dangerously broken (without a definite exploit) before they were designed
Really? Care to cite those predictions (ideally from 1995 or earlier, when Intel introduced this feature).
they were informed at least 6 months before the public notice, and appear to have taken no steps to mitigate the problem prior to public notice.
They disclosed the vulnerabilities to ARM and worked with Microsoft, Apple, and some Linux developers on work-arounds, though the Linux people completely botched the embargo.
I am TheRaven on Soylent News
Spectre, unlike Meltdown, will haunt for years to come.
As she's been doing since 2006 https://dota2.gamepedia.com/Sp...
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
Have you taken note of how Meltdown and Specter are getting conflated, by EVERYONE....?
The only other CPU vendor I heard of being vulnerable to Meltdown is Qualcomm.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
The you haven't been listening. IBM's advisory specifically calls out all three CVEs. Even news articles which know what they were talking about when they said Meltdown was thought to only affect Intel and some ARM processors have pointed out it also affects all of the POWER architecture processors.
And Oracle gave a long list of SPARC architectures that were affected by Spectre along with a patch, and then gave a single note that said SPARCv9 systems are not affected by Meltdown, and then proceeded to refuse to answer any customer questions (seriously go check their forums for a very interesting number of ways one can say "no comment") when asked about earlier SPARC systems. Make of that what you will.