Slashdot Mirror
Intel Did Not Tell US Cyber Officials About Chip Flaws Until Made Public (reuters.com)
Intel Corp did not inform U.S. cyber security officials of Meltdown and Spectre chip security flaws until they leaked to the public, six months after Alphabet notified the chipmaker of the problems, according to letters sent by tech companies to lawmakers on Thursday. From a report: Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities. Intel did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until Jan. 3, after reports on them in online technology site The Register had begun to circulate.
who exactly would trust them with this information? We all know they would have spent the last 6-months exploiting them and attempting to find more variations.
... else US would have "accidentally" leaked it to hackers and blamed Russia for it.
Is the Feds can ban Kaspersky and Huawei for not being secure for US government usage, perhaps Intel chips should be banned for use in government use.
Oh yeah, Intel is a US company, they can't do that now.
Two wrongs don't make a right, but 3 lefts do - Lew of GO magazine
...should notifications go out alphabetically?
Cuba, Iran, North Korea, Russia, oh yes, and then the United States.
Not that there wouldn't be certain arguments for notifying the government where the company's headquarters is located, but how exactly would Intel (or any other company working on a global scale) be expected to comply with the myriad of governments that could pass laws requiring that they get notified first. It's a lot simpler and a lot more elegant if everyone finds out at the same time.
Netburst was Intel's utter x86 architecture disaster- but at the time every major tech outlet declared it FAR superior to AMD's infinitely better Athlon 64, cos of Intel's Payolla.
Netburst was going to 10GHz, didn't ya know, and that was all that mattered. But Intel knew the truth, killed Netburst, and rebooted the Pentium 3, crossed with AMD innovations available to Intel via its cross patent licence with AMD.
So CORE 2 was born (now just called core). Only problem was, the dreadful 'engineers' at Intel Israel had sabotaged the design by removing all data privilege tests- the process by which a thread is blocked from accessing data owned by another thread of different privilege.
By dropping these hardware data blocks, Intel's architecture got faster- MUCH faster. And the NSA, GCHQ etc were guaranteed a method by which any user code injection would have access to any data on an Intel part.
Here's the current risk table- Intel since Netburst vs AMD's new amazing Ryzen:
Intel (core2/Core) AMD (Ryzen)
Meltdown: 1000 0
Spectre 500 0.1
AMD is a LITTLE slower per clock per thread on current compiler output down to the fact that Ryzen has low level hardware data privilege circuits, whereas Intel does not. Intel relies on DOMAIN methods- a hybrid technique that relies on trust and the OS.
All current Intel chips are broken by design and unfixable unless you only run one thread at a time on the entire chip and flush every chip asset each time you time slice a new thread. But to do this would reduce Intel's performance by perhaps 80-95%.
Intel cannot fix its architecture within even two years from this date. It needs a from scartch redesign. So Intel instead floods outlets all across the net with anti-AMD FUD.
Smart move for Intel. Would you tell your government where you keep your secrets?
Of course intelligence agencies knew about it. While I'm not a huge fan (or detractor though) of Assange, he made a good case for Google being essentially an arm of the State Department. Why do you think that China has such an issue with Google? The US now warns about Chinese cell phone manufacturers and that their products are possibly unsafe, but this is very much a case of the fire pit calling the kettle black.
The NSA certainly knew of, and have likely been exploiting this for years. The only positive in this is that, unlike the last time, at least time time they didn't let their exploit out in the wild. That little gem, not telling the public about zero day vulnerabilities they failed to disclose, which they subsequently weaponized, then lost control of the code for, cost more billions in ransomeware attacks than any other single source.
The choice between trusting my US gov't, who supposedly answers to the American people, or a global multinational corporate that answers to no one, is no choice to me at all. I choose the US gov't
It doesn't, the US gov works for the banks and corporations.
That's why banks get bail outs and CEOs get big bonuses.
I wonder if they also make their own GPUs For use in brute force attacks.
If so could I buy a graphics card off them? I'm sure it would still windup cheaper than the current crypto markup on retail units.
Go back a few years to AMD's 'terrible' new architecture, Bulldozer (the reason many today still don't trust the insanely good Ryzen design).
The best x86 CPU analyst on the planet discovered that a L1-cache exclusive thread on one bulldozer module ran at 10 (relative performance rating). On the other module also 10, of course. But if both modules ran threads (in L1 cache) at the same time, with ZERO inter-thread code or data dependency, the two threads ran at 8+8, not 10+10. Why? Because SPECULATIVE data dependency hardware was active, ensuring pre-emptively no privilege errors could happen. Even tho the code made such impossible anyway.
Intel has ZERO low level data privilege testing hardware on core or core 2 designs- none. So Intel gets to keep that '10' performance rating even when the code is highly vulnerable to accessing data it has no right to access. Yes, the Intel chips literally cheat, and cheat hard. Intel relied on high level 'domain' methods, mostly implemented by the OS, to keep inter-process 'privacy'.
So Intel gained a massive IPC speed boost by cheating. But it also ensured the NSA, GCHQ and othert intelligence agencies had the ability to spy on any Intel based PC once even the lowest privilege code injection happened. The very reason today experts are in total panic over all Intel systems.
So why do liars state AMD Ryzen also has the same problem, when it does not. This is wholly Google's fault, since they gave fake news publicity to a very minor and impossible to exploit crack in the Ryzen system- something AMD had over-looked, mostly because of its insanely low odds of ever allowing rogue code a decent exploit. This is so-called 'spectre'. But spectre on Intel's broken-by-design architecture is more dangerous than 'meltdown', the attack vector that can never effect Ryzen, even in theory.
Intel's payolla currently colours all discussion of the subject on the net. Israeli linked 'the register' is possibly the worst outlet in this regard. The register was originally set-up to spread fake news about the dynamic RAM industry so money could be made by stock-market manipulation. Today the register operates in the model of Ruper Murdoch's 'the sun' newspaper in the UK. The register is at the forefront of speading Intel's FUD about Ryzen.
PS with a Ryzen friendly compiler (which doesn't yet exist), Ryzen would have a higher IPC than Intel's best- because AMD x64 architecture can issue 4 complex instructions at a time, whereas Intel issues one complex and 3 simple ones. Ryzen is inefficient at 1+3. Intel's core is insanely inefficient at 4+0. Understandably, given Intel's dominance in the marketplace, all compilers optimise for Intel's 'core'. But it is a lie to say that Intel, in theory, has a current advantage in IPC (or any other area outside of AVX512 and obsolete x87 FPU processing). However Intel does have almost 1GHz over Ryzen- the real reason code may show better results on Intel when code is mostly single-threaded and the machines clocked to their max.
Ehhh.... if I remember correctly, the possibility of this kind of attack was discussed at around the time speculative execution started to be considered. Unfortunately, I don't remember my source for this, but it was based on non-specialist technical publications that were widely available. (It might have been ComputerWorld or InfoWorld. Something along those lines.)
This isn't a comment about this particular implementation of the attack, but the idea of the attack. Meltdown is the result of thinking the attack was too difficult in principle, so it was safe to ignore the risk. I think Spectre is the result of thinking it was too difficult in practice, so the cost of speculative execution was worth the risk.
So the idea of the attack was out there before the chips were designed, it was just disregarded as impractical. I don't know who Vladimir Pentkovski is (or was), but he was definitely not the sole figure responsible.
I think we've pushed this "anyone can grow up to be president" thing too far.
Because AMD is careful not to cross privilege levels but Spectre attacks are user mode to user mode. So even though they may be two different users they are still in Ring 3. Spectre can only be used against kernel code if the kernel is convinced to run a user's code for some reason. Like an eBPF byte-code, for example.
But it can work really well for a sandboxed program to steal information from outside the sandbox.
So AMD is still vulnerable to speculation attacks.