Slashdot Mirror
Intel Hit With More Than 30 Lawsuits Over Security Flaws (reuters.com)
Intel said on Friday shareholders and customers had filed 32 class action lawsuits against the company in connection with recently-disclosed security flaws in its microchips. From a report: Most of the lawsuits -- 30 -- are customer class action cases that claim that users were harmed by Intel's "actions and/or omissions" related to the flaws, which could allow hackers to steal data from computers. Intel said in a regulatory filing it was not able to estimate the potential losses that may arise out of the lawsuits. Security researchers at the start of January publicized two flaws, dubbed Spectre and Meltdown, that affected nearly every modern computing device containing chips from Intel, Advanced Micro Devices and ARM.
I can't wait to get my $3 !!
I'm pretty sure Intel never made promises that it was a highly secure chip. They mainly market on power and performance.
“Common sense is not so common.” — Voltaire
I'm sure everyone reading this already knows the obvious, but AMD is not affected by Meltdown in any capacity. Please do not encourage the spread of this misinfo. It is important to understand what processors are safe and what processors are affected by Meltdown and Specter's 2 variants.
https://www.networkworld.com/article/3246707/data-center/meltdown-and-spectre-how-much-are-arm-and-amd-exposed.html
Change log:
2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode with me_cleaner, Blackhat Dec 2017 Intel ME presentation, Intel ME CVEs (CVSS Scored 7.2-10.0)
Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.
What we know about Intel CPU backdoors so far:
TL;DR version
Your Intel CPU and Chipset is running a backdoor as we speak.
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.
30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".
"We can permanently monitor the keyboard buffer on both operating system targets."
Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.
If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).
Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.
2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode, use me_cleaner with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit.
Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented HAP mode (NSA High Assurance Platform mode)
me_cleaner: Set HAP AltMeDisable bit with -S option
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
EFF: Intel's Management Engine is a security hazard, and users need a way to disable it
Sakaki's EFI Install Guide/Disabling the Intel Management Engine
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
CVE-2017-5689: An unprivileged network attacker could ga
Meltdown which is the worst of all and was probably done on purpose to cheat in benchmarks only hits Intel.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
The summary is fucking wrong, and the writer of it probably got paid by Intel.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
Will they have to actually demonstrate a material loss resulting from a security breach associated with the flaw, including some kind of material proof that the flaw was actually the cause of the breach?
I'm kind of guessing time spent running around and patching probably isn't something they can sue for, otherwise MS would have been out of business ages ago on this item.
And what do they actually hope to get out of it? New CPUs not compatible with their existing motherboards? A cash payment based on the pro-rated cost of the microprocessor itself based on remaining life cycle?
I can see the obvious desire to rake Intel over the coals and perhaps they deserve some of it, I just don't get how you can link any specific loss to this chip flaw, or if you can, it's extremely hard to prove.
I'm also curious if there's not some general defense for Intel along the lines of "running a computing infrastructure involves dealing with bugs and flaws in hardware and software, problems will arise".
I mean, thinking this all through, it seems to be a frivolous exercise without some massive shift.
Intel grossed over $60 billion in FY 2016. Even if each of these lawsuits requires Intel to pay $1 billion, and all of them are won, it's less than six months of revenue for them - not fun, but not the corporate equivalent of $150,000 in individual medical debt, either. Intel has enough in the bank to ride the storm, and simply bump up CPU prices by another 15% until the costs are paid...and then leave the prices there.
In a perfect world, this would give AMD the golden opportunity to pick up the slack. The Ryzen line of processors has been met with a whole lot of favorable press; they could easily take over the i3/i5/i7 desktop/laptop markets from a performance perspective. However, AMD has spent the last decade scraping the bottom of the barrel with their A10 processors and similar, low performance CPUs that are almost synonymous with the sub-$400 laptop market, and the hatred that people associate with Windows machines. Even if the shelves at Best Buy became 50/50 between AMD and Intel (as opposed to right now, when there are more Xeon-based laptops available than Ryzen 5 and Ryzen 7 combined), it's going to take consumers quite a while to realize that AMD makes high end processors, too. Intel sales take a dip, sure, but I don't see AMD managing to truly eat at Intel's market in a way that leaves a lasting impact.
The server room is still Intel's. Dell, HP, and Lenovo have dabbled in a few AMD-based machines (I've got a pair of Opteron-based R415's running as routers myself), but will AMD having misstepped with the Bulldozer architecture and certain server applications being all "we only support Intel", I don't see AMD making massive inroads there either. This is compounded by the likelihood that Dell ordering 0.8X Xeon processors from last year and making up the slack with newer Opterons is going to inevitably involve a higher per-processor price, making their servers more expensive, meaning that if Lenovo keeps their orders up, they will be cost favorable, leaving Dell less able to compete on price unless sysadmins really do start ordering AMD-based servers for their racks.
Now, the one player that really could make a dent would be Samsung - there's not a laptop component they don't make except the processor at this point, so retooling their Exynos chip fabs to make an x86 processor that can compete with an i3 and deliver an end-to-end, single-manufacturer laptop or desktop is in the cards for them, certainly more so than any other manufacturer. If they can pitch one running Android and avoid a Windows license, even better. Even so, it's risky for Samsung, and although they can eat a pretty big loss, trying to capitalize on Intel while they are down and hoping that consumers end up buying a laptop sporting a CPU from relative newcomer is not the kind of gamble that risk-averse execs are likely to go full force on.
In summary, Intel CPU processors will rise, AMD may well be capable of meeting demand but OEMs, retailers, sysadmins, and consumers are going to be a bit skittish about giving AMD a shot when Intel is a known quantity, and while Samsung could probably kick 'em while they're down, it's highly debatable that they will do so. In the end, Intel is likely to just raise prices and the world continues as normal.
The summary is how Intel wants this communicated so that they can spread the blame more.
Now, that may be the moral obligation, but the legal concept is much more difficult to define.
How dangerous is dangerous enough to warrant a recall? Sure, this may leak some data, but now that the vulnerabilities are known, they can be mitigated... or do we also claim that software vendors who don't implement mitigations are making a "dangerous" product?
Who's responsible for the recall? I've rarely purchased directly from Intel. More often, I buy CPU/motherboard combos from vendors. Are they going to support the recall? My mother isn't qualified to take apart her computer and replace the chip, so who's paying for the tech to come out and do it?
You do not have a moral or legal right to do absolutely anything you want.
(yes, i know, if you google "specter proof of concept" you will find things, but what you will find is a proof of concept for meltdown called a proof of concept of specter. Some code-faggot got PAID to conflate the two, not to mention the scholastic-fag who wrote the scholarly paper conflating the two he refers to).
Meltdown is intel only.... but don't worry. If you're running Intel, you're PWNT by IME/AMT anyway.
Specter is a different threat, conflated with Meltdown because it benefits Intel PR. All CPUs are vulnerable to Specter, but according to AMD, real-world use of the vulnerability is nearly impossible, and mitigation of the vulnerability is actually impossible. I don't know about you, but I trust AMD more than the guy pointing saying "Hey, him too!"
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016