Slashdot Mirror
Intel Did Not Tell US Cyber Officials About Chip Flaws Until Made Public (reuters.com)
Intel Corp did not inform U.S. cyber security officials of Meltdown and Spectre chip security flaws until they leaked to the public, six months after Alphabet notified the chipmaker of the problems, according to letters sent by tech companies to lawmakers on Thursday. From a report: Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities. Intel did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until Jan. 3, after reports on them in online technology site The Register had begun to circulate.
who exactly would trust them with this information? We all know they would have spent the last 6-months exploiting them and attempting to find more variations.
... else US would have "accidentally" leaked it to hackers and blamed Russia for it.
Is the Feds can ban Kaspersky and Huawei for not being secure for US government usage, perhaps Intel chips should be banned for use in government use.
Oh yeah, Intel is a US company, they can't do that now.
Two wrongs don't make a right, but 3 lefts do - Lew of GO magazine
They have lawyers. No fault of their own. Nope.
I bet the NSA knew and kept the information classified so they could use it against adversaries.
...should notifications go out alphabetically?
Cuba, Iran, North Korea, Russia, oh yes, and then the United States.
Not that there wouldn't be certain arguments for notifying the government where the company's headquarters is located, but how exactly would Intel (or any other company working on a global scale) be expected to comply with the myriad of governments that could pass laws requiring that they get notified first. It's a lot simpler and a lot more elegant if everyone finds out at the same time.
don't believe anything else.
six months after Alphabet notified the chipmaker of the problems
Alphabet is CIA, Intel/CIA knew years ago, they created and patented the bug in the first place.
Guys, Russia makes clone of Pentium 4 for its own military applications, its cost is around $3500 per chip and they consider it worth of making. They use them in government computers as well. The PCs have huge memory compared to original Pentium 4's, but idea is clear, don't rely on foreign chip makers.
We don't know probably these bugs are just sophisticated backdoors, which lost its sense when they became discovered by hackers, so Google started to push Intel to fix them.
Why on earth would anyone other than the people directly responsible for patching a security flaw get told about a security flaw. That is the entire point of moratoriums and the whole responsible disclosure business.
The government has no business knowing. Oh and despite the fact that this seems to have hit the popular news today, we actually already covered this here on Slashdot. https://it.slashdot.org/story/... I think I need to buy a lottery ticket.
They Care Nothing about the Flaw that should be obvious by there first PATCH that had to be Pulled.
The Only thing they care about is there Bottom Line, At Present as far as I am Concerned Intel Can Not be TRUSTED.
Matbe one of the many Lawsuits will Make them Sit up and Pay Attention.
Netburst was Intel's utter x86 architecture disaster- but at the time every major tech outlet declared it FAR superior to AMD's infinitely better Athlon 64, cos of Intel's Payolla.
Netburst was going to 10GHz, didn't ya know, and that was all that mattered. But Intel knew the truth, killed Netburst, and rebooted the Pentium 3, crossed with AMD innovations available to Intel via its cross patent licence with AMD.
So CORE 2 was born (now just called core). Only problem was, the dreadful 'engineers' at Intel Israel had sabotaged the design by removing all data privilege tests- the process by which a thread is blocked from accessing data owned by another thread of different privilege.
By dropping these hardware data blocks, Intel's architecture got faster- MUCH faster. And the NSA, GCHQ etc were guaranteed a method by which any user code injection would have access to any data on an Intel part.
Here's the current risk table- Intel since Netburst vs AMD's new amazing Ryzen:
Intel (core2/Core) AMD (Ryzen)
Meltdown: 1000 0
Spectre 500 0.1
AMD is a LITTLE slower per clock per thread on current compiler output down to the fact that Ryzen has low level hardware data privilege circuits, whereas Intel does not. Intel relies on DOMAIN methods- a hybrid technique that relies on trust and the OS.
All current Intel chips are broken by design and unfixable unless you only run one thread at a time on the entire chip and flush every chip asset each time you time slice a new thread. But to do this would reduce Intel's performance by perhaps 80-95%.
Intel cannot fix its architecture within even two years from this date. It needs a from scartch redesign. So Intel instead floods outlets all across the net with anti-AMD FUD.
Smart move for Intel. Would you tell your government where you keep your secrets?
They are everywhere, All I want to Know is When Intel is going to Replace the Broken Chips they Sold Everyone???????
In Computers there is no GREY Area it is YES or NO or Right and Wrong Intel Did it the Wrong Way to Get Ahead in the MHZ Race in the END all there CPU's are Broken, Just Take a look at Spot Prices for Replacements the only ones holding there own are Not Intel.
There are many departments in the government, and they don't talk to each other because of secrecy. I'm sure Intel told the "deep state" in both US and Israel. They told the people who hoarde 0-days. And there's no way you would know about it if they did. They just didn't tell all these spinup fragmented Cyberwehr offices all over the place that have no record of keeping secrets, and now one of them is whining about it.
Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities
Nice to see them being so proactive over the situation...Oh wait, what's the opposite of that ?
By Intel's standards, I shouldn't need locks on my front door since I haven't been burgled yet.
How do Intel know that nobody had exploited it, or at least weren't developing an exploit.
Makes you wonder, how many other security vulnerabilities there are in Intel chips that they're keeping quiet about ?
I hope the US intelligence agencies have deep hacks in place to harvest this kind of intel (pun?). These tech companies should be required to submit full, real-time, access to any possible security violations. Especially those operating as US companies or with a physical presence in the US.
The choice between trusting my US gov't, who supposedly answers to the American people, or a global multinational corporate that answers to no one, is no choice to me at all. I choose the US gov't
Just last month there was a story about them notifying the chinese government or something.
I don't think there is anything wrong with that. They should. But at the same time, they should notify the US government (and EU etc) as well.
This is why I think the whole "responsible disclosure" thing is bullshit.
The reality has shown that the companies do nothing in the meantime, and sit on it until the latest possible day.
Better to just let everyone know immediately and put pressure on them to fix it.
The choice between trusting my US gov't, who supposedly answers to the American people, or a global multinational corporate that answers to no one, is no choice to me at all. I choose the US gov't
It doesn't, the US gov works for the banks and corporations.
That's why banks get bail outs and CEOs get big bonuses.
We don't know if NSA knew about it all along. They surely wouldn't tell the public. And we don't know if Intel knew that NSA knew and therefore didn't inform based on that. If NSA didn't know, it looks bad. If NSA did know, it looks bad. Tough situation
Go back a few years to AMD's 'terrible' new architecture, Bulldozer (the reason many today still don't trust the insanely good Ryzen design).
The best x86 CPU analyst on the planet discovered that a L1-cache exclusive thread on one bulldozer module ran at 10 (relative performance rating). On the other module also 10, of course. But if both modules ran threads (in L1 cache) at the same time, with ZERO inter-thread code or data dependency, the two threads ran at 8+8, not 10+10. Why? Because SPECULATIVE data dependency hardware was active, ensuring pre-emptively no privilege errors could happen. Even tho the code made such impossible anyway.
Intel has ZERO low level data privilege testing hardware on core or core 2 designs- none. So Intel gets to keep that '10' performance rating even when the code is highly vulnerable to accessing data it has no right to access. Yes, the Intel chips literally cheat, and cheat hard. Intel relied on high level 'domain' methods, mostly implemented by the OS, to keep inter-process 'privacy'.
So Intel gained a massive IPC speed boost by cheating. But it also ensured the NSA, GCHQ and othert intelligence agencies had the ability to spy on any Intel based PC once even the lowest privilege code injection happened. The very reason today experts are in total panic over all Intel systems.
So why do liars state AMD Ryzen also has the same problem, when it does not. This is wholly Google's fault, since they gave fake news publicity to a very minor and impossible to exploit crack in the Ryzen system- something AMD had over-looked, mostly because of its insanely low odds of ever allowing rogue code a decent exploit. This is so-called 'spectre'. But spectre on Intel's broken-by-design architecture is more dangerous than 'meltdown', the attack vector that can never effect Ryzen, even in theory.
Intel's payolla currently colours all discussion of the subject on the net. Israeli linked 'the register' is possibly the worst outlet in this regard. The register was originally set-up to spread fake news about the dynamic RAM industry so money could be made by stock-market manipulation. Today the register operates in the model of Ruper Murdoch's 'the sun' newspaper in the UK. The register is at the forefront of speading Intel's FUD about Ryzen.
PS with a Ryzen friendly compiler (which doesn't yet exist), Ryzen would have a higher IPC than Intel's best- because AMD x64 architecture can issue 4 complex instructions at a time, whereas Intel issues one complex and 3 simple ones. Ryzen is inefficient at 1+3. Intel's core is insanely inefficient at 4+0. Understandably, given Intel's dominance in the marketplace, all compilers optimise for Intel's 'core'. But it is a lie to say that Intel, in theory, has a current advantage in IPC (or any other area outside of AVX512 and obsolete x87 FPU processing). However Intel does have almost 1GHz over Ryzen- the real reason code may show better results on Intel when code is mostly single-threaded and the machines clocked to their max.
There is so much distrust on both sides of the equation that they have to be publicly shamed to say anything.
Calvin:Do you believe in the devil? Hobbes:I'm not sure man needs the help.
Intel is not under any obligation to protect that information from the public.
Who says the feds have to be the first to know?
Not me.
Ehhh.... if I remember correctly, the possibility of this kind of attack was discussed at around the time speculative execution started to be considered. Unfortunately, I don't remember my source for this, but it was based on non-specialist technical publications that were widely available. (It might have been ComputerWorld or InfoWorld. Something along those lines.)
This isn't a comment about this particular implementation of the attack, but the idea of the attack. Meltdown is the result of thinking the attack was too difficult in principle, so it was safe to ignore the risk. I think Spectre is the result of thinking it was too difficult in practice, so the cost of speculative execution was worth the risk.
So the idea of the attack was out there before the chips were designed, it was just disregarded as impractical. I don't know who Vladimir Pentkovski is (or was), but he was definitely not the sole figure responsible.
I think we've pushed this "anyone can grow up to be president" thing too far.
Because AMD is careful not to cross privilege levels but Spectre attacks are user mode to user mode. So even though they may be two different users they are still in Ring 3. Spectre can only be used against kernel code if the kernel is convinced to run a user's code for some reason. Like an eBPF byte-code, for example.
But it can work really well for a sandboxed program to steal information from outside the sandbox.
So AMD is still vulnerable to speculation attacks.
Since the information came from Alphabet, they probably assumed the government already knew.
I don't believe in karma, I just call it like I see it.
Once again, we get to hear about risks to national security. Laughable ones, at that.
You have to assume that every endpoint on your network can be compromised. If your network security model cannot cope with widespread host infection, then your security is garbage. If they really cared about security, their networks should already have mitigations for Meltdown/Spectre-class malware in place.
Meltdown and Spectre aren't the first exploits either. They should have a plan for unexpected malware. There is no reason to assume that a given exploit will be discovered by a responsible actor. Quite frankly, the US government should be happy they were notified at all. Black hat, Chinese, and Russian hackers sure as hell aren't disclosing their exploits.
Instead of "raising concerns", these officials should double down on hardening their networks properly. This is useless showmanship.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
:). Disinformation rumors being spread by Intel or Russia...?...
I can find zero supporting sources that the security issue that is speculative-execution was ever discussed in any white papers anywhere before 6/27/17 though I can find lots of comments online from people saying they remember that and people accepting it as truth. The last link I provided was one hell of a lot of information I had never seen anywhere else before and explains who Pentovski is/was and it certainly appears as though Intel was so grateful to him for bringing over the know how on Russian military super computer tech (spec exec) that they named the Pentium chips after him... set up all of the West for transparent Russian intelligence gathering - a real digital Wilderness of Mirrors ? ;).
What difference does it make when law enforcement hides during a school shooting? It's every man for himself in this country.
I didn't say "white papers", I said "probably ComputerWorld or InfoWorld". That should say how detailed my knowledge was (when it was fresh). I don't remember what it was based on, but at a wild guess some conference proceeding or discussion. Something public, anyway.
As far as I can remember, it only came up once. It could also have been in Datamation, but I think by that time I'd stopped reading that one. The only other possibility is Byte, and that's really unlikely, as after the early 1970's I skipped most issues. (I did by the one about implementing a C subset in M6800 macros, though. And the Smalltalk issue. I don't remember any others.) I'm sure I'd dropped Dr. Dobbs, and they didn't cover that kind of news anyway.
I think we've pushed this "anyone can grow up to be president" thing too far.
My first reaction to the headline was to feel upset that Intel had not shared the information with the government earlier. I think this exposes a contradiction in my own views. I can imagine other scenarios where I'd feel like the government kept too many vulnerabilities secret. I'm not sure how to resolve this.
I keep hearing Intel is bring back trace caches
By white papers - I was being too specific - I mean anything, at all, published, as a source, that security was ever called out as an issue - when speculative-execution tech was (stolen? borrowed? recreated by the same guy whatever you want to call that) from the Russian military.
I see the info about Pentkovski has again been buried here - by lowering my comment threshold to negative (and my karma back down to terrible) - so the only thing most of the readers to the site will ever see related to this - is the disinformation to hide the facts - that this shit, this major fucking problem for the USA, came directly from Russia. Something even bigger is going on to keep this shit buried with absolutely no one talking about that Fact. imho.
Well the Register and Wikipedia seem to be in partial agreement with you about his influence on the Pentium. But the thing I heard about was before the Pentium was designed. That's all that showed up on the first page of a Google search. The earliest reference I quickly located was
https://hackaday.com/2018/01/0...
But this clearly isn't what I was referring to. The article I read wasn't about something in production, but rather about an approach to design that was being discussed.
That you couldn't find it on Google isn't a real surprise, as most such things never made it to the internet. That only happens if copyright has expired AND someone is interested enough to put it there. Even then you've got to wonder about the accuracy, because someone that interested often has an axe of some sort to grind. If it came out of the Internet Archive or the Gutenberg Project I'd trust it, but from somebody I don't know....probably not.
I think we've pushed this "anyone can grow up to be president" thing too far.
After seeing the text I noticed that the link, https://hackaday.com/2018/01/0... , didn't show the problem it was discussing. The title of the page was speculative-execution-was-a-troublemaker-for-xbox-360.
I think we've pushed this "anyone can grow up to be president" thing too far.
Yes, but I originally encountered the discussion of speculative execution flaws in print media which never hit the internet, and that was the reference to the earliest discussion of the problem that I could quickly find. It wasn't the original discussion (which was, I believe, before the chip was designed), but that (probably) didn't hit the internet, and was, AFAIK, only in print. So this was the best I could easily dig up.
I think we've pushed this "anyone can grow up to be president" thing too far.
I love a good conspiracy theory, except that's plainly not true. The flaws go all the way back the Pentium Pro, well before any of that happened. And for that matter, Netburst is also affected too.