Intel Did Not Tell US Cyber Officials About Chip Flaws Until Made Public

Intel Corp did not inform U.S. cyber security officials of Meltdown and Spectre chip security flaws until they leaked to the public, six months after Alphabet notified the chipmaker of the problems, according to letters sent by tech companies to lawmakers on Thursday. From a report: Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities. Intel did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until Jan. 3, after reports on them in online technology site The Register had begun to circulate.

First good news from this whole fiasco

[Daneel+Olivaw+R.+]

... else US would have "accidentally" leaked it to hackers and blamed Russia for it.

Re:Ban Intel chips for all US government use

[jpschaaf]

I'm sure Intel dabbles in plenty of government contracts, but processors are a consumer good, not a defense product.

If Intel had to choose between selling on the international consumer market and selling to the US government, I'm pretty sure they'd dump the government in about 5 seconds.

If the US government really wants a secure processor, they should get a secure processor... instead of using the same consumer-grade contraption that I use to surf the web.

Smart

[foxjazz4003]

Smart move for Intel. Would you tell your government where you keep your secrets?

Re:You belive this bullshit?

[Excelcia]

Of course intelligence agencies knew about it. While I'm not a huge fan (or detractor though) of Assange, he made a good case for Google being essentially an arm of the State Department. Why do you think that China has such an issue with Google? The US now warns about Chinese cell phone manufacturers and that their products are possibly unsafe, but this is very much a case of the fire pit calling the kettle black.

The NSA certainly knew of, and have likely been exploiting this for years. The only positive in this is that, unlike the last time, at least time time they didn't let their exploit out in the wild. That little gem, not telling the public about zero day vulnerabilities they failed to disclose, which they subsequently weaponized, then lost control of the code for, cost more billions in ransomeware attacks than any other single source.

Two reasons all recent Intel CPUs have this flaw

Go back a few years to AMD's 'terrible' new architecture, Bulldozer (the reason many today still don't trust the insanely good Ryzen design).

The best x86 CPU analyst on the planet discovered that a L1-cache exclusive thread on one bulldozer module ran at 10 (relative performance rating). On the other module also 10, of course. But if both modules ran threads (in L1 cache) at the same time, with ZERO inter-thread code or data dependency, the two threads ran at 8+8, not 10+10. Why? Because SPECULATIVE data dependency hardware was active, ensuring pre-emptively no privilege errors could happen. Even tho the code made such impossible anyway.

Intel has ZERO low level data privilege testing hardware on core or core 2 designs- none. So Intel gets to keep that '10' performance rating even when the code is highly vulnerable to accessing data it has no right to access. Yes, the Intel chips literally cheat, and cheat hard. Intel relied on high level 'domain' methods, mostly implemented by the OS, to keep inter-process 'privacy'.

So Intel gained a massive IPC speed boost by cheating. But it also ensured the NSA, GCHQ and othert intelligence agencies had the ability to spy on any Intel based PC once even the lowest privilege code injection happened. The very reason today experts are in total panic over all Intel systems.

So why do liars state AMD Ryzen also has the same problem, when it does not. This is wholly Google's fault, since they gave fake news publicity to a very minor and impossible to exploit crack in the Ryzen system- something AMD had over-looked, mostly because of its insanely low odds of ever allowing rogue code a decent exploit. This is so-called 'spectre'. But spectre on Intel's broken-by-design architecture is more dangerous than 'meltdown', the attack vector that can never effect Ryzen, even in theory.

Intel's payolla currently colours all discussion of the subject on the net. Israeli linked 'the register' is possibly the worst outlet in this regard. The register was originally set-up to spread fake news about the dynamic RAM industry so money could be made by stock-market manipulation. Today the register operates in the model of Ruper Murdoch's 'the sun' newspaper in the UK. The register is at the forefront of speading Intel's FUD about Ryzen.

PS with a Ryzen friendly compiler (which doesn't yet exist), Ryzen would have a higher IPC than Intel's best- because AMD x64 architecture can issue 4 complex instructions at a time, whereas Intel issues one complex and 3 simple ones. Ryzen is inefficient at 1+3. Intel's core is insanely inefficient at 4+0. Understandably, given Intel's dominance in the marketplace, all compilers optimise for Intel's 'core'. But it is a lie to say that Intel, in theory, has a current advantage in IPC (or any other area outside of AVX512 and obsolete x87 FPU processing). However Intel does have almost 1GHz over Ryzen- the real reason code may show better results on Intel when code is mostly single-threaded and the machines clocked to their max.

Re:Vladimir Pentkovski did it Intel named Pentium

[HiThere]

Ehhh.... if I remember correctly, the possibility of this kind of attack was discussed at around the time speculative execution started to be considered. Unfortunately, I don't remember my source for this, but it was based on non-specialist technical publications that were widely available. (It might have been ComputerWorld or InfoWorld. Something along those lines.)

This isn't a comment about this particular implementation of the attack, but the idea of the attack. Meltdown is the result of thinking the attack was too difficult in principle, so it was safe to ignore the risk. I think Spectre is the result of thinking it was too difficult in practice, so the cost of speculative execution was worth the risk.

So the idea of the attack was out there before the chips were designed, it was just disregarded as impractical. I don't know who Vladimir Pentkovski is (or was), but he was definitely not the sole figure responsible.