Intel Publishes Microcode Security Patches With No Benchmarks Or Profiling Allowed

Long-time Slashdot reader Bruce Perens writes: The Register reports that Debian is rejecting a new Intel microcode update because of a new license term prohibiting the use of the CPU for benchmarks and profiling.

There is a new license term applied to the new microcode: "You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; (ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change or create derivative works from the Software except and only to the extent as specifically required by mandatory applicable laws or any applicable third party license terms accompanying the Software; (iii) use or make the Software available for the use or benefit of third parties; or (iv) use the Software on Your products other than those that include the Intel hardware product(s), platform(s), or software identified in the Software; or (v) publish or provide any Software benchmark or comparison test results." UPDATE:: Intel has reworked the license to no longer prohibit benchmarking. Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, tweeted on Thursday: "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community."
The security fixes are known to significantly slow down Intel processors, which won't just disappoint customers and reduce the public regard of Intel, it will probably lead to lawsuits (if it hasn't already). Suddenly having processors that are perhaps 5% to 10% slower, if they are to be secure, is a significant damage to many companies that run server farms or provide cloud services. I'm not blaming Intel for this, I don't know if Intel could have foreseen the problem. Since some similar exploits have been discovered for AMD and ARM CPUs, the answer could be "no." But certainly customers are upset.

Another issue is whether the customer should install the fix at all. Many computer users don't allow outside or unprivileged users to run on their CPUs the way a cloud or hosting company does. For them, these side-channel and timing attacks are mostly irrelevant, and the slowdown incurred by installing the fix is unnecessary.

So, lots of people are interested in the speed penalty incurred in the microcode fixes, and Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license. Bad move. The correct way to handle security problems is to own up to the damage, publish mitigations, and make it possible for your customers to get along. Hiding how they are damaged is unacceptable. Silencing free speech by those who would merely publish benchmarks? Bad business. Customers can't trust your components when you do that.

You'll never get a first post

with these security patches installed, m'ladies

Re:You'll never get a first post

[Z00L00K]

Those that have security concerns are willing to take performance penalties, those that want performance usually don't worry too much about the security issues since the performance hunters are probably just running a single application anyway.

What might be interesting is to be able to boot the computer in different modes - performance or security mode. The Turbo button revival!

Re: You'll never get a first post

[Zero__Kelvin]

I have no idea where you got that idea, but in general any such generalization / assumption will be wrong. Nobody is OK with performance slowdowns, especially when the degree of performance degradation is an unknown.

Re:You'll never get a first post

[Ol+Olsoc]

Those that have security concerns are willing to take performance penalties, those that want performance usually don't worry too much about the security issues since the performance hunters are probably just running a single application anyway.

What might be interesting is to be able to boot the computer in different modes - performance or security mode. The Turbo button revival!

I love the idea! Although it would probably show the 5-10% slowdown is a real myth. I have a laptop that overall seems to have slowed down by about half.

Now that's not "benchmarked", but apparent performance.

Re: You'll never get a first post

[aliquis]

Stop assuming people who run games care less about security than those possible just using the computer for one task where this may not be a risk.

People who game likely use their machine in a way putting them at risk.

Re: You'll never get a first post

[aliquis]

Just test and see yourself?

Re: You'll never get a first post

[The-Ixian]

I have no idea where you got that idea, but in general any such generalization / assumption will be wrong. Nobody is OK with performance slowdowns, especially when the degree of performance degradation is an unknown.

I think are a generalizing about who is "OK" with performance slowdowns.

Personally, I would be ok with some performance loss if my security is enhanced. It just depends on how much performance is lost.

Re: You'll never get a first post

[Z00L00K]

Just wait for a Russian to publish it.

Re: You'll never get a first post

[aliquis]

The micro-code updates aren't permanent changes in the processor.

One can just enable it and run the system like that and then notice if it become slower or not, even with your own benchmark whatever Intel say and if it did and you don't want it just disable it again.

You aren't enabling it in the dark and then stuck with it. Well unless you run Windows 10 and Microsoft force you to update and install it all the time.

Re: You'll never get a first post

[Zero__Kelvin]

Yeah. I should have said "in general". Oh, look, I did and you just "forgot" to boldface that part of my statement.

Intel. Just say no

Making a bad situation, worse.

Re:Intel. Just say no

>_ Inasmuch as I agree with "Just say no", it's not so simple.

See, I work for the government. We have to keep transparency in procurement. That is not an option; the public is our "boss". Hiding things is unacceptable.

Benchmarks are a necessary part of choosing a product.

And we must "publish or provide any Software benchmark or comparison test results", so that the procurement process is documented to be led impartially.

I have the law and a contract to choose which I will abide by.

Either I will violate the contract later or exclude Intel from bidding a priori.

Re:Intel. Just say no

[hcs_$reboot]

Microsoft didn't say No.

Re:Intel. Just say no

[hcs_$reboot]

"You will not, and will not allow any third party to ..."

Re: Intel. Just say no

i think its actually illegal to sell consumer products with such strings attached, in most countries anyways.

intel is opening itself for a lawsuit here

Re: Intel. Just say no

the license says that debian would have to restrict anyone using the software from running any benchmarks.

they can't do that.

even windows has built in benchmarks. either microsoft didn't care OR just said to intel okay whatever, good luck with that.

also intel has to agree to microsofts licenses which shove the responsibility right back at intel.

Re:Intel. Just say no

"You will not allow any third party to anything" is an evil license clause. IMHO, it is the reason why Debian rejected the patch. Yes, they have a "non-free" repository, but it is reserved only for not open-source (or non-DFSG compliant) freeware without any evil license clauses. These Intel patches are not qualified to go there. Perhaps, Debian could think about creating an "evil" repository in addition to the currently used "main", "contrib" and "non-free"?

Re:Intel. Just say no

[MachineShedFred]

Looks like AMD is getting government business, or a FOIA request will be causing a legal showdown.

Re:Intel. Just say no

[ewanm89]

That and said terms are illegal. Seriously, very illegal.

If Intel tried to enforce such a term in a court the court will throw it out.

One can not ever just write a EULA that stamps on statutory rights and force it on people. And benchmarks are covered under rights to give fair criticism meanwhile some countries also have a right to reverse engineer for compatibility reasons.

Re:Intel. Just say no

[Z00L00K]

AMD most likely suffers from similar issues. Not identical, but related.

The more different the architecture is from the x86 strain the better since it would cause more trouble for those trying to utilize flaws to keep up with all the different architectures.

Re:Intel. Just say no

[ewanm89]

Law always trumps contract. EULA is a one sided contract and therefore very limited in comparison anyway. Publishing benchmarks is a form of critique and is specifically allowed under fair use or a copyright exception in most countries, this makes the term invalid and will not be held up in any court.

Speak to your government lawyers, they wrote such laws.

Re:Intel. Just say no

[DarkOx]

The more different the architecture is from the x86 strain the better since it would cause more trouble for those trying to utilize flaws

I find this claim questionable. Do you have some examples to back that up. Certainly reproducing it in the lab with some other chip would be more effort you'd have to basically start over. I am not sure that its appreciably harder to actually perform an attack in a life environment. I don't me just a POC where you read some memory that did not belong to you. I am talking an actual useful attack on a live system.

That to me has a few requirements and alternatives.
1) You have something you can deliver as shell code or as payload to include in malware. So its got be small and not look super suspicious to heuristic tools or signature based AV.
2) Its got to have a useful level of reliability. IE its go to work at least 1 in 10K tries. That is to be minimally useful weaponized as worm etc; its got to be much better for target attacks
3) Either you need to be able to target specific memory so you obtain 'crown jewls' or you need be able to dump a lot of memory (sort thru the haystack for something useful theory). If you do the later that brings us to 3a
3a) you can't be the hottest process on the system for hours on end because you'd be detected in an instant.

So I think we talking a major effort by what is actually not that big a pool of folks with the technical know how to build something workable. I have been a developer for decades working in the security segment and I certainly would not have the skills to design something like that. I know people who do but not very many. A couple of them are ex-NSA and when we were discussing this they suggest even the NSA only has handful of people with the expertise to use these types of attacks in the wild; perhaps a handful more who could be brought up to speed quickly; if they were pulled from other areas of research.

Re:Intel. Just say no

[mark-t]

Do they define "allow"?

Is the mere act of providing it to someone who later goes and does what you are prohibited from doing by that eula, even without your involvement beyond the initial act of providing it, considered "allowing" them?

If so, Intel can just... let me see if I can put this delicately.... go fuck themselves so hard that they die.

Re:Intel. Just say no

[hcs_$reboot]

Interestingly, Intel stock keeps being quite stable.

Re: Intel. Just say no

[aliquis]

Intel are a dressing this and removing this part.

Re:Intel. Just say no

[brxndxn]

Wouldn't a 'security microcode patch' be something similar to a recall on a vehicle? Like.. how far would Ford get if they had a recall that took a toll on gas mileage and you had to promise not to publish the updated gas mileage if you accepted the recall?

Someone needs to hurry up and just publish some results.. I wanna see how much my servers are going to slow down because of this.

Re:Intel. Just say no

[ewanm89]

Sorry, but Ford can't hold you to that too. Benchmark performance data is critique and comes under fair use in the US. In places like the UK there is an equivalent exceptions to things like copyright laws to specifically allow such data distribution as it is critique for the consumer. An EULA or other contract of adhesion (where one party drafts it and has it in a take it or leave it way) can just stomp on ones consumer rights, such terms are often thrown out by the judge when they come up in a court. Ultimately no contract can be used to force someone to break the law.

In this particular case, the wording had them holding third parties to the same standard without those third parties ever agreeing to it, that is a big no no. It is more like Ford issuing a recall and providing terms when sending the parts to the dealership that third parties (the customers) using those parts can not publish gas mileage data when they get their cars back and the dealership is responsible if they do.

As for data, several including Redhat and Microsoft have published benchmarking data anyway. The big issue is the recommendation hyper-threading is disabled, new microcode or not. Depending on workload that can cause a major performance hit, or in some rare circumstances a performance boost.

Who is this Bruce Perens guy.

And the bigger question why is he not posting spam and dups like the rest of slashdot editors?

Re:Who is this Bruce Perens guy.

[Bruce+Perens]

why is he not posting spam and dups like the rest of slashdot editors?

Because they've never actually given me inside access to Slashdot. It's their playground. One or two editors look for things I've written, mostly the folks who work on the weekend.

I screw up as much as anyone else.

Re:Who is this Bruce Perens guy.

[Mal-2]

I don't, he's probably just better at not committing his stupidity to the public record. We all fuck up.

Re:Who is this Bruce Perens guy.

[q_e_t]

You are too modest. You have been a huge asset to the community over many, many years. You are allowed the occasional error.

Re:Who is this Bruce Perens guy.

[thegarbz]

You are allowed the occasional error.

Not on Slashdot your not.

Re:Who is this Bruce Perens guy.

[MachineShedFred]

I'm guessing intended grammar irony for the lulz?

Re:Who is this Bruce Perens guy.

[thegarbz]

Did it not work! Damn?

Re:Who is this Bruce Perens guy.

[Mal-2]

I suppose it depends where you draw the line.

If something that makes you say "oops" is a fuckup, then I'm sure he does it as much as anyone. What he doesn't do so much are things for which he has to publicly apologize, so if that's where you draw the line, then you are also right.

Re:Who is this Bruce Perens guy.

[Dareth]

Forget who he is. Look at that Slashdot UID.

Quick fix:

[Gravis+Zero]

Only buy AMD.

Re:Quick fix:

Only buy POWER, BLOB free

Re:Quick fix:

[rahvin112]

Actually no it doesn't. Of the 11 Spectre Variants AMD has only been vulnerable to about 3. And two of those variants were the ones that affected every out of order processor ever made.

Re:Quick fix:

[that+this+is+not+und]

You can buy the USSR version of an 8086 processor on eBay.

Re:Quick fix:

[Bruce+Perens]

If you want a fully-open processor, there is Risc-V.

Re:Quick fix:

[chill]

Is it? Everything I've read lately is the ISA is free, but there are plenty of blobs for the other components that make an actual processor. It has the potential to be a truly free processor, but the early players don't have the resources for that.

I think POWER9 implementations are, right now, the closest. Raptor Computing Systems is shipping what looks to be real nice, but real EXPENSIVE, stuff. There may also be some OpenSPARC stuff.

Re:Quick fix:

[RhettLivingston]

I read an interesting article on that a couple of decades ago where they were discussing how it ignited some growth in machine code translation technology that later evolved into some of the first serious run-time machine code translators.

It seems that they just shipped it with faults and researchers would test it, characterize the faults in the chip, and cross translate all of the machine code to eliminate the use of opcodes that had faults in the hardware in favor of equivalent workarounds.

An interesting side effect is that there were many different levels of performance available depending on how many and which opcodes had to be worked around.

Re:Quick fix:

[dwywit]

I'd love to evaluate one of those Talos II workstations, just to see what kind of workload could make it top out.

4K special effects rendering? VMs by the dozen?

Re:Quick fix:

[Tough+Love]

The main issue is Meltdown, which is Intel-only.

Re:Quick fix:

[Tough+Love]

Not only full open, but said to be more power efficient than ARM. Rather interesting, even if the truth is more nuanced.

Re:Quick fix:

https://www.phoronix.com/scan.php?page=article&item=power9-epyc-xeon&num=1
You're welcome!

Re:Quick fix:

[Bruce+Perens]

Wrong link.

Re:Quick fix:

[Tom]

Alternative fix: Someone in a country with a) a non-broken legal system or b) a legal system so broken that Intel can forget about enforcing its "license": Go collect and post the most comprehensive benchmark data you can possibly get.

Re:Quick fix:

[Tough+Love]

Right.

Re:Quick fix:

[Bruce+Perens]

Right SiFive. ABI from Risc-V, but their own VHDL program (or whatever they use). Uses the existing software tools.

Re: Quick fix:

[Zero__Kelvin]

Digital is already a special case of analog. That is why clock speeds have limits and trace runs must be laid out by someone with a firm understanding of analog. Crosstalk etc. are a thing with digital components.

Re: Quick fix:

[Zero__Kelvin]

Buying AMD doesn't mitigate the issue for already purchased and deployed hardware. The two aren't mutually exclusive.

Re: Quick fix:

[zwarte+piet]

You won't make that mistake again.

Re: Quick fix:

[zwarte+piet]

Can't get the image of digital pcb tracks getting laid by an analog engineer out of my head.

Re:Quick fix:

[zwarte+piet]

I wondered what that smell was.

Re: Quick fix:

[Zero__Kelvin]

Keep trying.

Re:Quick fix:

[Type44Q]

How about good old-fashioned commodity hardware for the /heavy lifting/rendering... and save the ridiculously expensive secure stuff for when you can't airgap??

Re:Quick fix:

[AmiMoJo]

Even better, take Intel to small claims court and make them buy you a new AMD system.

That's what I did. The first round of patches were crippling for me.

Re:Quick fix:

[AmiMoJo]

The CPU is fully open source, but you need more than just a CPU to make a useful computer.

It's still a very important project. Aside from anything else it offers other open source projects a decent CPU core to use, unencumbered by patents or copyright and fully supported by tools like GCC and Linux.

Re:Quick fix:

[drinkypoo]

More like an African elephant for Intel and a chihuahua for AMD and the rest.

Not the rest. IBM's POWER is just as vulnerable as Intel's processors, and mitigation is just as expensive. Apparently, Big Blue is just as unscrupulous as Intel. But I guess that's not a big shock to anyone who's been paying attention since, say, WWII?

Re:Quick fix:

[drinkypoo]

The main issue is Meltdown, which is Intel-only.

ITYM Intel and IBM, whose POWER processors are also vulnerable to both SPECTRE and MELTDOWN... and on whose processors mitigation is just as expensive as on Intel.

Anyone who trusted Intel or IBM before this was a tool, but anyone who trusts Intel or IBM now is a moron.

Re:Quick fix:

[Tough+Love]

Anyone who trusted Intel or IBM before this was a tool, but anyone who trusts Intel or IBM now is a moron.

I wouldn't got that far, I can see how this vulnerability could be overlooked before it became a widely researched thing. I would say it convincingly demonstrates that neither Intel nor IBM is infallible. But we already knew that, after all they are just populated with a bunch of real life schmucks just like you and me. Mistakes happen. Maybe they should keep that in mind for their next design.

BTW, is there anybody stupid enough to trust a monopolist? Oh right.

Re: Quick fix:

[ComputerKarate]

Where I live you cannot take a company with more than 3 shareholders to small claims court. I guess it is different where you live?

Re: Quick fix:

[AmiMoJo]

It is, you can take anyone to small claims court here.

Re:Quick fix:

[drinkypoo]

Anyone who trusted Intel or IBM before this was a tool, but anyone who trusts Intel or IBM now is a moron.

I wouldn't got that far, I can see how this vulnerability could be overlooked before it became a widely researched thing. I would say it convincingly demonstrates that neither Intel nor IBM is infallible.

I can see how it would be overlooked, but I can also see that's not what happened. Intel gained a competitive advantage over AMD by architecting their chips in this fashion. It was a deliberate decision and now Intel's users are paying for it. Ditto for IBM.

BTW, is there anybody stupid enough to trust a monopolist? Oh right.

Yeah, only tools.

Re: Quick fix:

[that+this+is+not+und]

Actually, more what we used to call an RF design engineer. The tracks are waveguides.

Not some hokey analog engineer with 6V6 vacuum tubes designing an audio power amp.

Re:Quick fix:

[that+this+is+not+und]

There aren't any non-proprietary and open tools to compile Verilog or VHDL. At least not any that you can plug into a modern powerful FPGA.

we saw this coming long ago

[deviated_prevert]

You do not own a computer chip you are a slave to the software necessary for it to run which is locked down. HACK ON they deserve what they are about to reap! Reversing chips is how most of the locked down hardware was made available to Linux users for most of the early history of the kernel. Intel now wants a total lock down.... SCREW THEM

Re:we saw this coming long ago

[Balial]

You saw this coming but have no idea of the history behind microcode patches?

https://en.wikipedia.org/wiki/...

The microcode feature is there to help you, not enslave you. Silicon is forever. Patching it on your desktop after the fact is a god-send.

Learn some history before you claim to have predicted the future.

Re:we saw this coming long ago

[hcs_$reboot]

The microcode feature is there to help you

Except, as GP said, when that prevents you from using freely the CPU it runs into.

Re:we saw this coming long ago

[SharpFang]

The idea of microcode is neat, but lawyers and marketing drones can shit up any neat idea by tacking a shitty license on top of it.

Re:we saw this coming long ago

[deviated_prevert]

You saw this coming but have no idea of the history behind microcode patches?

https://en.wikipedia.org/wiki/...

The microcode feature is there to help you, not enslave you. Silicon is forever. Patching it on your desktop after the fact is a god-send.

Learn some history before you claim to have predicted the future.

With respect; the fight to keep alternative operating systems on PCs and servers is a long and storied history. Through the "hardware partner" cartel, win modems and finally the palladium initiatives culminating in locked bios that required key codes to load an OS. Linux has weathered the lockout exclusion storms that favor Microsoft and to a lesser extent Apple.

The fact that Linux based servers still run huge portions of the servers that power the net is still a problem for Intel, in as much as Linux servers don't suffer the constant upgrade cycles that Windows servers do. Thus reducing the need to change out high horsepower gear every 5 years or so and greatly reducing the software licensing fees for ISPs and web servers. The slow sales of Windows server software to ISP, can easily be helped along by Intel locking down testing of security updates for the Linux kernel. Servers certainly must patch the Intel hell holes that speculative execution has created.

I am posting this from a core 2 duo on a Lenovo T500 that is completely vulnerable to the Intel holes that could melt me down at any time. In fact this aspect has already been exploited on firefox with a malicious javascript that put an old school activex style coded tidbit on my ram that made me kill the firefox pid and do a whois traceroute on the source. It was from a .tk as usual and the kicker was that the .tk redirected to a .ru. I still have the logs and printouts of the hack with bounces.

So yes linux is vulnerable and can be annoyance hacked due to intel's stupid speculative execution coding routines, but fortunately not completely hosed unless you are an idiot and let the attacker(s) in. The sky is always falling with opensource software and using linux as a computer OS. BUT I still refuse to send more ransom money to Microsoft or even the Coca Cola company for that matter to secure my computers for use on the information highway when Intel tries again to start WW111 with us linux users. I must indeed be a deviated_prevert to say this but: NOT ONE DIME MORE TO INTEL OR MICROSOFT I have spent enough securing and replacing their hardware and software over the 30 or so years I have needed it to do any serious work that required internet communications!

I think I've got the message...

[niittyniemi]

So Intel, as a condition of using your patch to fix the broken shit you sold us, you don't want us to use the patch to empirically determine just how broken your shit was, or else you'll sue us?

I've got the message loud and clear: you're crooked dirtbags.

I don't think I'll be sending any money your way in future.

Re:I think I've got the message...

[r_pattonII]

The statement from Intel is translated as follows: "We really don't want the public to know how bad we screwed up so we are prohibiting you or anyone else to benchmark the issue before this patch and especially after the patch as we do not want our bottom line ($$$) tarnished by the bad publicity. Therefore since you are using cloud services and require speed this fix is supplied to you to keep your mouth shut about how bad we actually suck at providing quality code for our products. If you are not satisfied with this solution, go somewhere else. BTW good luck with that too!"

Re: I think I've got the message...

[Bruce+Perens]

The slashdot editor munged the link to the license text. It's here.

Re: I think I've got the message...

AMD: "We'll take 'em!"

Intel just made my Streisand effect alarm break. They've screwed up the PR for this since it started. Bad updates, downplaying the severity of the issue, FUD, and now a gag order. You'd think they could handle this better, but I guess not. Rather, I'd say they are scared shitless right now. They've got another FDIV problem on their hands, nothing that will fix it without pain, and no true solution coming out the pipe for another year. Meanwhile their competition is out classing them in everything. Well almost everything, colossal PR nightmares, and bad security design isn't on their competition's roadmap. Reason to be scared indeed. I was already buying AMD exclusively over the AMT crap, but anyone buying Intel at this point is a complete idiot.

Re:I think I've got the message...

i want to see the best intel vs amd cpu benchmarks fro the last 10 years to be rerun and for us to see how the difference between intel's best and amd's best looks now with all the patches and microcode updates installed. like x4-965 vs intel equivalent. stuff like this.
i'm leaning towards the 'intel processors routinely being 20% faster than amd cpu's at the same speed" to be more even, or possibly amd having the performance crown for all these years, it's just intel cheated so much it made their cpus look faster.
amd always had the superior design, they just weren't willing to cheat as much as intel was to win.

it's funnier when you realize they don't want people to benchmark these and publish them, yet when intel launches cpu's, they include benchmarks.... which i thought were useless. oh, they're only useless when they paint you in a bad light, but they're good when they show your cheats are winning the race.

Re:I think I've got the message...

[RhettLivingston]

you're crooked dirtbags

From the very start of this saga when Intel jumped the gun on the press release to make sure that it combined their main problem with another problem they shared with AMD in order to make it appear as though they were equally affected, Intel has been playing dirty - bordering on criminal - pool.

Re:I think I've got the message...

[DontBeAMoran]

At this point I'm hoping the soon-to-be-announced low-cost MacBook will use Apple's own ARM CPU/GPU.

Re: I think I've got the message...

[SIGBUS]

I have absolutely no regrets about going with AMD for all my recent builds. As lackluster as Bulldozer was, Ryzen (even my relatively pedestrian 1700) has been wonderful - and I'd even take Bulldozer over Meltdown, FUD, and gag orders any day.

Re: I think I've got the message...

[Zero__Kelvin]

Debian would be distributing the patch. It would be redistribution if the Debian user ... wait for it ... redistributed it.

Re: I think I've got the message...

[jittles]

The slashdot editor munged the link to the license text. It's here.

The license agreement says that they cannot publish benchmarks, as in those who redistribute the microcode cannot publish benchmarks. It does not (and could not) restrict anyone using the microcode update to publish benchmarks. Intel has been asking all of the companies involved in this process for benchmarks since the beginning. Every single microcode update. I'm not saying Intel is doing the right thing here at all, but it's not as bad as it seems. My guess is that the reason for this change is that the performance decrease is based on the type of work being performed. The microcode that Intel sends for inclusion in firmware is different than the microcode they send to OS vendors. The firmware version of microcode has all of these mitigations disabled and they must be enabled. My understanding is that these microcode updates through OS are supposed to be optional for those who need the mitigations enabled (cloud providers, for instance). But I don't know Intel's exact reasoning behind this with any sort of certainty. And since an OS push of microcode has to be loaded every single boot, it is easy enough to downgrade if necessary.

Re: I think I've got the message...

[kalpol]

I don't even think Bulldozer was that lackluster, mine have been great other than the massive amount of heat it puts out. It's still doing pretty much anything I ask of it.

Re: I think I've got the message...

[Shirley+Marquez]

Bulldozer had very disappointing single thread performance, making it a poor choice for gaming. It was further crippled on Windows by the fact that Microsoft didn't release a process scheduler that really understands it until Windows 8, leaving all the installed base of Windows XP and 7 with ever worse performance than the processor was capable of. Linux, of course, was updated right away, and Windows 10 inherited the improvements from 8.

Basically, you can't schedule Bulldozer as if it were a straightforward 8 core CPU because of the resources shared between core pairs. It needs to be scheduled in a way that is more like Hyperthreading on Intel CPUs, acknowledging the performance differences of various combinations of cores. Microsoft wrote that code but didn't backport it to the versions of Windows that most people were using at the time.

At the initial release, Ryzen suffered from a similar problem. Not with SMT; that was handled properly right away. But what Windows didn't understand was the need to be aware of the two CCX units and the increased memory latency for cross-CCX access. So far as I know Microsoft STILL haven't fixed that for the single-die Ryzen processors, though they do address it correctly for Threadripper. In short, they should schedule Ryzen as if it were a dual-socket system, and keep threads of the same program on a single CCX when possible.

Re: I think I've got the message...

[Shirley+Marquez]

The license of Debian explicitly gives users the right to redistribute it, with or without modification. That right is inherent to the nature of free software. So they can't possibly comply with a restriction on redistribution.

Re: I think I've got the message...

[Zero__Kelvin]

Very good. You just restated the content of the story. Here's your sign ...

It's extremely slow now!

[Gravis+Zero]

The reason they did this is because it slows performance to what I would call a painful crawl. I would post the benchmarks to quantify and prove it but it's not allowed.

Re:It's extremely slow now!

Well, if you break the license, you should stop using product (the updated microcode). I'm sure someone would sacrifice their CPU for publishing

Re:It's extremely slow now!

[sinij]

The reason they did this is because it slows performance to what I would call a painful crawl. I would post the benchmarks to quantify and prove it but it's not allowed.

Painful crawl is slightly faster than a standstill, and slightly slower than molasses slow. So you did benchmark it and violated the agreement.

Re:It's extremely slow now!

[Tough+Love]

One person downloads and applies the patch, another runs the benchmarks. Why is this complicated? In the worst case, somebody posts the results anonymously.

Intel is definitely wrong here, legal thuggery notwithstanding.

Re:It's extremely slow now!

[wgoodman]

That's why they added "or allow a third party to.."

Re:It's extremely slow now!

[Tough+Love]

Interesting and fanciful legal theory that some crack addict in Intel's legal department put forth. How can any processor maker control what somebody does with their computer? Well that is the issue of course. Intel so obviously in the wrong. I say, rub their noses in it more than a little bit.

Re:It's extremely slow now!

[Dragonslicer]

How can any processor maker control what somebody does with their computer?

They aren't. The license doesn't say that you can't run any benchmark tests, it only says that you can't tell anyone else the results. Of course, it's still stupid.

Re:It's extremely slow now!

[Tough+Love]

OK, so a friend runs the benchmarks and EFF publishes them. EFF notifies Intel that they have done so and that their third party software license stipulation is unenforceable. Hilarity ensues.

Re:It's extremely slow now!

[Dragonslicer]

OK, so a friend runs the benchmarks and EFF publishes them. EFF notifies Intel that they have done so and that their third party software license stipulation is unenforceable.

Intel asks a judge to subpoena someone from the EFF and ask them who the friend is that violated the license. Whether or not it's worth it for Intel to push to find out who it was, that's a separate question.

Hilarity ensues.

For those of us watching at home, hopefully yes. Still a pain in the ass for anyone who has to waste time and money defending themselves in court.

Re:It's extremely slow now!

[Tough+Love]

Intel asks a judge to subpoena someone from the EFF and ask them who the friend is that violated the license.

The friend turns out to be a lawyer working for EFF. This is the raison d'etre for EFF, this is precisely how they get donations and entertain themselves. Intel is highly unlikely to go as far as a subpoena or any other such wankery, it would be highly embarrassing for them. This whole fiasco is just the result of some overzealous minion getting a bit too creative with the creative license writing. It should be put down firmly by people whose business it is to do so (like Bruce Perens) and we should all move on.

Re:It's extremely slow now!

[Dragonslicer]

The friend turns out to be a lawyer working for EFF. This is the raison d'etre for EFF, this is precisely how they get donations and entertain themselves.

No complaints from me. I'm perfectly happy to see crap licenses get struck down by a court. It's also much better for an organization such as the EFF to do it, since they're well-prepared for the fight, instead of some random Slashdot reader.

Intel is highly unlikely to go as far as a subpoena or any other such wankery, it would be highly embarrassing for them.

True, but I try not to underestimate how far some companies will go with the wankery (Oracle comes to mind). Sometimes they don't realize how embarrassing it might be, and sometimes they just don't care because they know they won't lose any business over it (Oracle again comes to mind).

To emphasize, I agree that this license provision is crap. I just wanted to try to correct a couple points.

Re:It's extremely slow now!

[Tough+Love]

It's also much better for an organization such as the EFF to do it, since they're well-prepared for the fight, instead of some random Slashdot reader.

What makes you think there are no EFF members randomly reading Slashdot?

Re:It's extremely slow now!

[Tough+Love]

This whole fiasco is just the result of some overzealous minion getting a bit too creative with the creative license writing. It should be put down firmly by people whose business it is to do so (like Bruce Perens) and we should all move on.

Well there ya go.

Re:It's extremely slow now!

[Dragonslicer]

I'm sure plenty of Slashdot readers have donated money to the EFF, and I'm sure several people who work for the EFF read Slashdot at least occasionally. Does the EFF call anyone who donates money a member? The probability of a randomly selected Slashdot user being employed by or volunteering significant time to the EFF is extremely low. The probability of a randomly selected Slashdot user having donated money to the EFF is higher, but I would guess it's still unlikely.

If you specifically select a Slashdot user because they work for the EFF, then your selection isn't random. Bruce is not, with any reasonable probability, a "random Slashdot reader".

What makes you think there are no EFF members randomly reading Slashdot?

I would think that any EFF member who is reading Slashdot intended to come here. Do they typically have their computers select random web sites to visit?

Re:It's extremely slow now!

[Tough+Love]

Bruce is not, with any reasonable probability, a "random Slashdot reader".

I beg to differ, Bruce is pretty random. Me too, I consider it a badge of honor.

Hey Rocky, watch me pull a rabbit out of my ass

[bobstreo]

"This time for sure!"

I've had an AMD-64 microcode patch sitting in my update manager for a week or so. I think I'll wait a little longer to apply it,

  I don't like being the first wave of test monkeys.

Re:Hey Rocky, watch me pull a rabbit out of my ass

[Tough+Love]

Not what you're on about. AMD microcode updates have been solid as a rock in my personal experience.

Re:Hey Rocky, watch me pull a rabbit out of my ass

[drinkypoo]

AMD64 is the architecture, like 486 or 8080. Intel 64 bit processors are AMD64 architecture.

Literally everything you said was wrong. amd64 is the instruction set. The architectures have code names by which we know them, and none of them are called "AMD64". Intel 64 bit processors duplicate the AMD64 instruction set, but they have different underlying architecture than the AMD processors. They are similar because they perform similar jobs, but they are not identical.

Re:Hey Rocky, watch me pull a rabbit out of my ass

[Tough+Love]

You know that you aren't a CE. Stop lying to everyone and yourself by injecting falsehoods into a discussion about CE.

Wow, you have serious issues, you need to learn some respect. And you are spouting nonsense. Physical vs logical indeed, thanks for your own private definitions, I'm sure everyone in the industry will appreciate those.

Re:Hey Rocky, watch me pull a rabbit out of my ass

[Tough+Love]

And WTF is "die architecture"?

Re:Hey Rocky, watch me pull a rabbit out of my ass

[Tough+Love]

This was a parody post right? Please tell me it was parody.

Re:Lies?

[glowworm]

The Microcode tgz file also contains a license file with the same language

"(v) publish or provide any Software benchmark or comparison test results. "

However, there is also a clause that says if you download the tgz you accept the license automatically. So, the act of downloading to read thatlicense means you have agreed will not publish benchmarks.

Kudos

[jmccue]

Well kudos to Debian. I am very disappointed in seeing Red Hat, SUSE in saying the licence is fine.

Just goes to show you how close to Windows the big commercial Linux Distro are moving.

Re:Kudos

[sinij]

You are assuming they read the click-through agreement.

Re:Kudos

[Bruce+Perens]

Actually, I've caught Red Hat in a number of legal mistakes where I've had to wake up one of their lawyers to the issue, because the engineer never consulted one. This might be that sort of thing, or whoever read the text didn't consider the implications. The microcode runs for every instruction, and as far as I can tell the prohibition applies to all use of the CPU. Don't ever provide or publish benchmarks, even for your own software, using this CPU to collect them.

The lawyer who wrote the license obviously didn't walk through what the CPU actually does, and that the implication of the language would thus be larger than expected.

Re:Kudos

[short]

It is being discussed for Fedora, RHEL is its derivative.

Re:Kudos

[AmiMoJo]

Would the licence even apply to the end user? Will a licence agreement pop up on screen asking the user to agree to Intel's terms when they install a Red Hat OS or update one?

Because it seems likely that the end user will never even hear about the patch, and innocently go run some benchmarks when they find their system has slowed to a crawl.

Will be interesting to see how Microsoft handles it too. Someone is living in a fantasy world if they think people are going to stop benchmarking and posting the results online.

What I hope will happen

[Bruce+Perens]

I hope that the part of Intel with some sense will wake up to what that other part of Intel is doing and fix this, quickly. When there is a company that big, it has a multiple personality disorder. Obviously this time somebody didn't think through the implications of their legal language.

That's not the message I took away

[rsilvergun]

what I took away was "Go buy an AMD processor".

Re:That's not the message I took away

[thegarbz]

what I took away was "Go buy an AMD processor".

If you took nothing away you would likely be legitimately looking in AMD's direction anyway. AMD have made some amazing strides back into the market place in the past few years.

Only if a judge says so

Intel can put "You will not (i) exercise any of your first amendment rights ever again." in their license. That doesn't make it enforceable.

I bet Intel would be too chicken-shit to even sue over this license breach.

Is a judge really going to say that a software license, to fix a defect in a product, can rise to the level of an NDA (non-disclosure agreement)?

The precedent set by a counter suit for a full refund plus court costs will have Intel scrambling, tail between legs, to change this license text.

Re:Only if a judge says so

[PPH]

That doesn't make it enforceable.

And what will the penalty be? Pay them back the price of the patch?

The interesting part would be if someone installed the patch, ran the benchmarks, published the results and then Intel sued them for an imputed loss of sales.

Re:Only if a judge says so

[Spamalope]

Loss of the lawsuit from customers who paid Base price * 3 for the bleeding edge processor and received performance at a level below the advertised performance of the base unit. I'd think they'd want a refund (at least of the price difference - but if they've got to replace the platform to recover the speed... that's more expensive isn't it).
And why wouldn't they be entitled to one just as a diesel VW customer would be.

Re:Only if a judge says so

[cstacy]

Intel can put "You will not (i) exercise any of your first amendment rights ever again." in their license. That doesn't make it enforceable.

First Amendment pertains to GOVERNMENT censorship, not to private contracts such as software licenses.

Re:Only if a judge says so

[cyberchondriac]

That has nothing to do with the First Amendment. Why do so few people understand what free speech means? It means the government can't penalize you for speaking your opinion; it says nothing of a private institution suing you over a disputed NDA or contract. There should be some other legal recourse however to defeat this ridiculous, draconian license.

Wrong link

[Bruce+Perens]

The link at "a new license term" is to a license for a different product. I'm sure I didn't write that :-)

Someone at Intel might want to read about...

[ElizabethGreene]

Someone at Intel might want to read about the Streisand effect.

Re:Someone at Intel might want to read about...

[dddux]

We have a very old proverb here: "Good news travel far, but the bad news travel farther". Something along these lines.

Re:Lies?

Pretty sure that the shrink-wrap license issue was already tested in court and lost--completely unenforceable.

Re:Lies?

[Bruce+Perens]

Yes. I didn't write that link. The proper text can be found here.

Re:Car analogy time

[Bruce+Perens]

Well, the good lawyers call me when they do stuff like this. Or someone like me who can read a license and knows how a CPU is built. I have saved a few from mis-stating themselves.

In something approaching lawyerese...

[Letophoro]

Our new microcode reduces performance so much that we must muzzle those who analyze these things for a living to prevent them disclosing their results lest it negatively impact our stock price in a manner sufficient to affect the valuation of those in our organization whose position begins with XXO (Something Something Officer), at least until such time as the proper retirements and/or significant stock sales are complete.

What if I do publish the benchmarks?

[Gabest]

Will I lose the right to use the CPU?

Re:What if I do publish the benchmarks?

[Miles_O'Toole]

"You can use the CPU, bitch, but only the way WE tell you to use it". No doubt that's the fantasy Intel execs masturbate to every night before bed.

Links to benchmarks?

[KClaisse]

So.....



Anyone got a link to some benchmarks?

Re:Links to benchmarks?

Here's a link, I just hope Intel doesn't commandeer my#``{{#'+`$NO CARRIER

How long before we see what this code does?

[Streetlight]

I already expected to see either a link here in /. or real data on the effect this code has on CPU performance. Maybe I'm looking in the wrong place.

Re:How long before we see what this code does?

[sgage]

"In a time of universal deceit, telling the truth is a revolutionary act. George Orwell"

In a time of universal deceit, telling the truth is a total fracking waste of time.

Yes, I'm afraid it's come to this.

Re:Lies?

[thesupraman]

You cannot agree to a license until you have had an opportunity to read it.
WELL Established these days.

However, they can stipulate that you cannot use the item until you agree, so long as they can show that the license was reasonably presented to you.

Intel trying top prosecute anyone on this however would be... interesting PR.

Is this enforceable outside the US?

[shking]

There are much stronger consumer protection laws in many countries, the EU for example

Re:Is this enforceable outside the US?

A vendor cannot change the terms of sale during a warranty repair. The CPU as purchased is faulty. Everyone in Europe with Intel CPUs under warranty would be justified in returning them for a full refund.

Make your next CPU

[AHuxley]

a AMD CPU. Enjoy some benchmarks.

Re:Make your next CPU

Techspot just published some very extensive benchmarks ( https://www.techspot.com/review/1683-linux-vs-windows-threadripper-vs-core-i9/ ) that make AMD's Threadripper 2990WX look significantly faster than Intel's i9-7980XE in a lot of the particular tests. Interestingly they did most (all?) of the tests with Linux and Windows 10 on both CPU's and Linux also seemed to do better to various degrees (a little to a lot).

I suppose we could assume this patch will increase the AMD performance margin, depending on the particular test, so why bother with worrying about how much more the patch hurts the Intel - just assume it will perform even worse, and buy accordingly, eh?

R O

Re:Intel is scum

[sgage]

I feel bad that I bought a new computer this spring with an Intel processor. I can't afford to just get a new computer, or I would. But I'm stuck with this one for a while.

This is a national security issue

[Zero__Kelvin]

Intel is guilty of attempting to undermine national security and whomever attempted this bullshit should be charged accordingly. Every qualified security expert should look carefully at this code and publish their findings post haste.

Re: This is a national security issue

[Zero__Kelvin]

Yeah ... That's way more funny. DOH!

nope

[matushorvath]

"Many computer users don't allow outside or unprivileged users to run on their CPUs"

Your browser is running some outside unprivileged JavaScript for almost every page you visit. One of the exploits was specifically described for JavaScript running in a browser.
You don't even need to be able to execute code. Even code that would traditionally be considered harmless could potentially be used for side channel attacks if you e.g. control the input data. That invoice your ISP sent you as a PDF could potentially use a harmless piece of code inside Adobe Reader to do something harmful.
The fact that it has not been demonstrated yet does not mean it can't be done.

Re:nope

[phantomfive]

I think that sentence was aimed at people run their own data centers. Many of these computers (most?) don't even have a web browser installed.

Re:nope

[Spamalope]

Why would anyone bother with a novel approach to exploiting Adobe products when there are such a large number of known vulnerabilities to choose from?

Re:nope

[thegarbz]

Your browser is running some outside unprivileged JavaScript for almost every page you visit.

Which would worry me if the browser ran that script long enough to build up a detailed profile of my machine, and then customised it's own malware attack to make a side channel attack at all relevant.

The reality is side channel attacks MUST be targetted at a specific system setup, or in many cases with modern OS security measures the actual specific currently running system with the hope it doesn't reboot at some point. Just because your browser executes Javascript doesn't mean anyone in their right mind would attack or even be able to successfull attack your system in doing so.

The fact that it has not been demonstrated yet does not mean it can't be done.

It can be done. Everything CAN be done. The point is it WON'T be done because of the sheer amount of effort requried when there are far more effective attacks. Even for malware writers and hackers time ultimately is money and a generic bug is many orders of magnitude more valuable to them than a side channel attack on memory.

Re:nope

[AmiMoJo]

Browsers run Javascript in a VM. It's not the same as running code directly on the CPU, and a world away from changing the CPU microcode that runs below all other protection mechanisms.

CPU microcode malware would be incredibly hard to detect or mitigate. We are reliant on CPU vendors keeping it secret enough to prevent abuse.

Re:Intel?

[sgage]

Imagine if MS went all in supporting/facilitating Wine. I wouldn't be surprised at all if they had contingency plans...

AMD

[BrendaEM]

Vote against Intel's malarkey with your money.

Re:AMD

[Fly+Swatter]

ATI had horrible and buggy drivers too, what happened to them?

Re:AMD

Can't speak to the GPU side but the Ryzen CPUs are fantastic and the chipsets have never been problematic IMO. The on-die memory controller was a little different at first but now I have no issues on my 1st gens and never had any issues with my Ryzen+.

Re:AMD

[drinkypoo]

ATI had horrible and buggy drivers too, what happened to them?

They started publishing enough driver information to developers that they are able to make a functional Open Source driver. nVidia is still worse about that. Best to avoid spanking new AMD video cards until the free driver supports them, however.

Re:AMD

[Shirley+Marquez]

AMD's CPU chipsets have been solid for quite a while. The problematic AMD motherboards were mostly back in the day when third party chipsets were still available. VIA, notably, did a number of them and not all of them were good. The only reports of problems with Ryzen motherboards I have heard of involved support of very fast RAM; that one appears to have been the fault of both the CPUs and the motherboard chipsets; it was mitigated with microcode updates for the CPUs and fixed in the second generation Ryzen products.

AMD, nee ATI, graphics drivers can still be a problem. And the company tends to drop support of older graphics hardware like a hot potato, much more quickly than NVidia does. On the bright side, AMD is much more cooperative with open source development than NVidia is, so older ATI/AMD graphics hardware is well supported on Linux.

Intel is not managed well, in my opinion.

[Futurepower(R)]

Intel is AMAZINGLY self-destructive, IMO!

Intel says this: Intel's Brian Krzanich is forced out as CEO after 'consensual relationship' with employee. Another story: New details emerge on the office affair that led to Intel CEO Brian Krzanich's surprising resignation on Thursday.

Do you believe this quote? "The office affair which sparked Intel CEO Brian Krzanich's surprise resignation on Thursday started a decade ago and ended before he became CEO in 2013, The Wall Street Journal reported."

I'm guessing that Intel is trying to hide the real reasons that CEO Brian Krzanich is no longer CEO: 1) The Sceptre and Meltdown vulnerabilities in nearly all Intel CPUs, problems that began with former CEO Paul S. Otellini. 2) He used inside information to profit: Intel was aware of the chip vulnerability when its CEO sold off $24 million in company stock.

The new Intel CEO is Robert Swan. He joined Intel in September 2016 as CFO.

One of the most self-destructive acts is to appear to lie. Then everything else is examined as also possibly a lie.

Re:Intel is not managed well, in my opinion.

[Z00L00K]

Now we just have to find a scapegoat for rowhammer as well.

Re:Intel is not managed well, in my opinion.

[DarkOx]

I agree but lets be really honest about something else while we are on that subject. Those skeletons are left to lay in their closets unless unless you extol the wrong politics or tick off the wrong person. The CoC / #meToo crowd has a some legitimately aggrieved folks in it who deserve justice but to pretend that the majority of people banding those terms about on twitter are not using as either a person or political weapon for entirely selfish motives is nonsense.

Re:Intel is not managed well, in my opinion.

[BlackOverflow]

Intel inside

Re: Intel is not managed well, in my opinion.

#metoo, which culminated in calling Aziz Ansari a predator for not being a kind reader, was about anything but honest allegations. All men are fearful at work around women and rightfully so. I, myself, thought like you do until I got #metoo'd for a private political conversation after hours (at a conference) about Donald Trump's Billy Bush comments with a female coworker. She decided that being offended constituted sexual harassment. I was immediately suspended (sent on a plane ride home from the conference) and fired the next day without so much as a conversation with me about my side. That's right. I was fired for sexual harassment because I said (privately after hours and as an answer to a question) that the Billy Bush comments don't prove Trump is a rapist. Men have every reason to be afraid of false sexual harassment allegations in the #metoo era. You need to get educated.

Re:Intel is not managed well, in my opinion.

[thegarbz]

Those skeletons are left to lay in their closets unless unless you extol the wrong politics or tick off the wrong person.

I don't agree with this completely. There have been plenty of examples where good people have been let go due to skeletons entirely because of fear of public opinion. The fact that workplace relationships at Intel are banned in the first place is a very crude example of this. It's excessive nonsensenical application of something that in some conditions goes against the social code (specifically power over others in a employer / employee relationship).

You don't need to piss off anyone for a SJW to go rambo on your arse.

Re:Lies?

[Mal-2]

For the tealdeer crowd, the relevant portion starts on line 71.

Re:What's the problem?

The intel-microcode packages for Debian are in the non-free repository. I'll make a point not to take legal advice from you.

Guns don't kill people; holes kill people

[bussdriver]

Guns don't kill people; flesh displacement kills people.
Guns don't kill people; going into shock kills people.
Guns don't kill people; organ failure kills people.
Guns don't kill people; bleeding out kills people.

Re:Guns don't kill people; holes kill people

[cstacy]

Guns don't kill people; flesh displacement kills people.
Guns don't kill people; going into shock kills people.
Guns don't kill people; organ failure kills people.
Guns don't kill people; bleeding out kills people.

"And what makes that cop's gun so cool? PHYSICS! Kinetic energy generates the velocity with which the bullet exits the barrel, while the ballistics coefficient and sectional density determine the damage to its targets! Guns don't kill people, PHYSICS kills people!" ---Prof. Dick Solomon

Judge Laughs

[bill_mcgonigle]

So Intel is saying if you want to benchmark to decide if you want to join the class action, you can't provide a detailed reason that you're joining the class? Lawsuits are a matter of public record - a judge is going to laugh at that kind of restriction. How does Intel expect it's going to enforce this?

Let's see a million people tweet their slowdown measurements and then it'll be Intel Legal's move. Somebody come up with the hashtag.

Re:Judge Laughs

[Dragonslicer]

So Intel is saying if you want to benchmark to decide if you want to join the class action, you can't provide a detailed reason that you're joining the class? Lawsuits are a matter of public record - a judge is going to laugh at that kind of restriction. How does Intel expect it's going to enforce this?

In general, if you need to provide to the court some document or information that should not be revealed to the public, it would be filed under seal. That isn't to say that a judge wouldn't (or shouldn't) laugh at Intel for this, I'm just pointing out that it isn't an impossible situation.

Re:Judge Laughs

[dddux]

"Somebody come up with the hashtag". #intelgate

and will intel force MS to trun this on in windows

[Joe_Dragon]

and will intel force MS to trun this on in windows even on AMD systems?

Re:Lies?

[anegg]

I'd like to see a court case. Wouldn't this be thrown out as an obvious violation of free speech? Sure intel could not hire someone who benchmarks their stuff, or fire someone who benchmarks it and happens to work at intel, but I'd think that is it.

"Free speech" in the United States typically means rights against federal government regulation described in the 1st amendment to the US constitution. There isn't a general prohibition against a contract requiring someone not to talk about something - non-disclosure agreements specifically limit an individuals ability to speak about certain matters. IANAL; I have no idea how likely it is that a prohibition on publishing benchmarks contained in a firmware license for firmware necessary to patch security vulnerabilities in a chip would be found valid or invalid by a court. However, I don't think a winning argument against it would be based on it being a violation of free speech.

Not Legal

[SirAstral]

You can ignore stupid shit like this. Intel can sue for you for looking cross eyed if they wanted to. It does not mean that they will win even if you lose everything defending yourself from it.

No company can legally require a person this kind of performative obedience under any circumstance as a sold product like this. Additionally, there have already been cases where judges have rendered TOS/EULA agreements as total bullshit and unenforceable. Especially after a sale has already been completed, just look at the Sony Linux feature removal class action on the PS3 that cost them millions.

That said, it could still be a nightmare to deal with but that is the nature of SLAP lawsuits to begin with. The intention is not to win, but to financially drain you into a loss or to scare people... mainly the websites publishing benchmark data.

One wrong move by Intel and they will be facing the same kind of fucking class action lawsuit themselves. Everyone should slap so many fucking benchmarks online that intels heads spin!

Re:Not Legal

[cstacy]

No company can legally require a person this kind of performative obedience under any circumstance as a sold product like this.

Of course a company can enter into a contract with you that says you can't publish performance specs for their product. So I am going to assume that you mean to say that it's about a product they PREVIOUSLY sold you. The thing is, Intel did NOT previously sell you this microcode update.

The contract is that Intel will provide you this new microcode update, which is software, but that your license to use it will be restricted. (Specifically that you can't run this software on a computer for the purpose of benchmarking it, and that you won't publish such a benchmark.)

I don't see any legal problem with that contract.

It doesn't make Intel look good, but if you don't like the deal, then don't install the software.

Additionally, there have already been cases where judges have rendered TOS/EULA agreements as total bullshit and unenforceable.

If you cannot read the "By downloading, you agree..." license terms BEFORE downloading, then you have a shrink-wrap license problem. (By the way, shrink-wrap licenses are still upheld in some states such as Maryland and Virginia.) Even if there's a shrink-wrap issue, though, it is fairly obvious that INSTALLING the software after downloading and reading the accompanying license would constitute agreement to the terms.

Especially after a sale has already been completed, just look at the Sony Linux feature removal class action on the PS3 that cost them millions

That case was different than this. In the PS3 case, Sony removed access to their online gaming network, thereby crippling the box. Here, Intel is not removing access to anything: if you don't like the terms, then don't install the microcode update, and your computer will continue to function exactly as it did before, with all the same capabilities (and bugs) intact. Which is the point.

I expect the benchmarks will be out soon and all over the place, published in ways that make it impossible to figure out who to sue. Then, these benchmarks will be reported all over the place by people who never downloaded or installed or agreed to any of the license terms, and in fact did not perform any benchmarking themselves. Just published some results from some other shadowy people who cannot be sued.

Re: Not Legal

[cstacy]

its an under warranty fix for previously sold product.

Yeah, except that you're just TOTALLY MAKING THAT UP !

Re:Not Legal

[cstacy]

A company can't impose additional legal terms with a fix to a sold product.

This Intel "fix" has nothing to do with any kind of "warranty" or "recall" or anything like that, and it's totally optional for you. You just don't like that fact, is all.

Not that this makes Intel less slimy, but your "legal" reasoning is just based on ignorance and imagination.

Re:Not Legal

[SirAstral]

"That case was different than this."

Nope, like all case law, it depends on your argument.

When intel sold their product they agree to certain legal obligations. They cannot alter those legal obligation with a TOS/EULA. Sure it does not stop them from trying but no judge is going to uphold a contract that states you have no 1st Amendment rights after buying our CPU on a PUBLICLY SOLD product. They might have a case if they sold their product exclusively where they can control the purchase start to back. And this does not even get into 2nd hand items.

Intel cannot shirk it's legal warranty requirements in this fashion and they certainly cannot place a moratorium on public data about a publicly sold product expost facto to its sale.

Re:Lies?

[LaughingRadish]

How well do you suppose a book publisher will get with a clause stating that nobody shall release a review of a particular book without that review first being approved by the publisher?

Could be a mistake

[viperidaenz]

The license also mentions NDA's and Pre-Release agreements

Looks like license they would include with pre-release/beta software.

7. CONFIDENTIALITY. The terms and conditions of this Agreement, exchanged
confidential information, as well as the Software are subject to the terms and
conditions of the Non-Disclosure Agreement(s) or Intel Pre-Release Loan
Agreement(s) (referred to herein collectively or individually as "NDA") entered
into by and in force between Intel and You, and in any case no less
confidentiality protection than You apply to Your information of similar
sensitivity. If You would like to have a contractor perform work on Your behalf
that requires any access to or use of Software, You must obtain a written
confidentiality agreement from the contractor which contains terms and
conditions with respect to access to or use of Software no less restrictive
than those set forth in this Agreement, excluding any distribution rights and
use for any other purpose, and You will remain fully liable to Intel for the
actions and inactions of those contractors. You may not use Intel's name in any
publications, advertisements, or other announcements without Intel's prior
written consent.

Re:Could be a mistake

[jrumney]

I thought the following terms from TFS were a bit off for a production release.

You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; ... (iii) use or make the Software available for the use or benefit of third parties;

Never mind the benchmark clause, there is no way I would expect Debian, Microsoft, or anyone else to start shipping code that has those clauses in the license terms.

Re:and will intel force MS to trun this on in wind

[viperidaenz]

How would you run Intel microcode on an AMD CPU?

Re:and will intel force MS to trun this on in wind

[Joe_Dragon]

may not that but the other non microcode Intel fixes.

so run SUSE, Arch, and Red Hat and lose the right

[Joe_Dragon]

so run SUSE, Arch, and Red Hat and lose the right to bench your own systems?
I don't think that yum update can show an EULA or even an YUM update -y && reboot can stop and force you to read it.

Intel can say you are not our customer call your d

[Joe_Dragon]

Intel can say you are not our customer call your dealer / distributor for an refund.

well When you started your car you said yes to eul

[Joe_Dragon]

well When you started your car you said yes to the new eula. Don't like it you can trade your car in (no full refund)

we can file an copyright claim / dmca takedown

[Joe_Dragon]

we can file an copyright claim / dmca take down or even an press theft changes some of our cpus are over $1K-5K each so that is grand larceny.

Now an real lawyer can kill that BS but some small guys may just back down vs $$$ to defending them form the big boys at intel.

is just for places like Puget Systems / LinusTechT

[Joe_Dragon]

is just for places like Puget Systems / LinusTechTips / etc that if you bench it then you get cut off them from free parts / Engineering Samples? But they some how copied the that EULA into the update one?

Whoops

[Tough+Love]

Whoops, this is basically an ad for Ryzen.

Me too, lol.

[Grog6]

n/t.

Is Microsoft Bound by the Same Terms?

[jaa101]

How can Microsoft deploy this microcode to customers without banning benchmarking under Windows? Are they just betting Intel isn't going to sue them?

Simple - Can't run == FAIL

[technosaurus]

Since you cannot run the benchmark (in this case due to legal restrictions) just write FAIL* next to it. Then put the actual values for AMD, VIA and DMP CPUs. Once a few dozen articles get published where even DMP beats Intel's most expensive chips, they will wake up.

* FAIL means that the chip was unable to complete the benchmark due to faulty engineering or legal restrictions.

Re:Simple - Can't run == FAIL

[jittles]

Since you cannot run the benchmark (in this case due to legal restrictions) just write FAIL* next to it. Then put the actual values for AMD, VIA and DMP CPUs. Once a few dozen articles get published where even DMP beats Intel's most expensive chips, they will wake up. * FAIL means that the chip was unable to complete the benchmark due to faulty engineering or legal restrictions.

The license does not say you cannot run benchmarks. It says that the OS vendors cannot publish benchmarks. Period. Other people can benchmark and publish. The OS vendor can benchmark and decide whether or not to even accept the update, as Debian has done. I don't think it's right. Intel should not try to restrict this. They should request that the OS vendors publish a caveat that performance degradation depends on the way the system is being used and leave it at that. This was pretty stupid. But you are making sound worse than it actually is.

Dear unfree communist China

Pleas post these benchmarks. Thank you, the US.

So if I am an IT service provider ...

[thempstead]

"(v) publish or provide any Software benchmark or comparison test results"

So if I am an IT services provider looking after systems for my Customers and need to patch this ... then the first thing they will ask is "what performance impact did your testing of the patch show?" ... which I can't now tell them as it would be providing them with comparison test results between a system before and after patching ...

Without providing this then they will not agree to the change being made ... which means the system will have to remain unpatched and vulnerable.

I wish I had mod points.

[Grog6]

This really fits with the Manifort/Cohen news, but it's on point, nonetheless.

I wonder why the new /. owners haven't allowed a story on that? :)

Just use AMD

[ReneR]

it has better performance and price anyway: https://www.youtube.com/watch?...

Soon to be found in hardware magazines

[Opportunist]

"We are not allowed to provide any benchmark results, but we can say that if you consider buying an Intel i9, we should maybe inform you that we have an Athlon that we don't need anymore and you might be interested."

BogoMIPS

[zmooc]

So did the Linux distro's that did accept this license modify their kernel to disable the BogoMIPS feature?

Phoronix

[Meneth]

Phoronix seems to have disregarded that part and published some benchmarks anyway. https://www.phoronix.com/scan....

Re:Phoronix

[jittles]

Phoronix seems to have disregarded that part and published some benchmarks anyway. https://www.phoronix.com/scan....

Read the license. It does not restrict the publication of benchmarks. It restricts the OS vendors from publishing benchmarks directly. Not cool on Intel's part. But no where does the license prevent anyone from running benchmarks. That would be impossible to control and completely impossible to enforce.

Benchmark with the 20180703 release

[tglx]

The 20180703 micro code release has the mitigations for a set of server class CPUs and comes with the old micro code license, which does not contain any of those restrictions. Also experimentation has shown, that the micro code variant for flushing L1D on VMENTER is not really much different slowdown wise from the software L1D flush mitigation which is used by the Linux kernel/KVM when the magic new MSR is not available.

While Joe Desktop User does not worry much about the L1TF mess, he very much is interested in the other fixes and mitigations which come with those updates.

It's a sad state of affairs, that corporates seem to be able to screw their customers in any way they see fit. Seems to be a common scheme. Just look at the Diesel disaster where now the car owners are facing driving restrictions in certain cities because their cars do not comply to the emission standards.

What is happening at Intel? BAD management?

[Futurepower(R)]

Intel accused of age discrimination (May 28, 2018) Subtitle: "US federal investigators are looking into Intel's layoffs of 12,000 employees since 2016."

Judging from personal conversations with Intel employees and comments on web sites, Intel is badly managed:

Quote from thelayoff.com, Nov. 23, 2017:

"As a person who worked there several times as contract employee, which makes up most of the workforce. I have seen this happen many times, where older and higher paid blue badges get shown the door, and sometimes escorted out like criminals. This has created a paranoid environment among those who are left, so everyone starts back stabbing each other because they don't want to be the next one to be booted. And creates animosity to the contract workers who are treated like crap. So any workplace cohesion gets thrown out the window, because everyone is circling their prospective wagons."

Can we get the benchmarks on wikileaks?

[InPursuitOfTruth]

They will probably sue wikileaks for publishing benchmarks now.

Sorry that happened. Working at 6PM is still worki

[raymorris]

I'm sorry that happened to you.

You mentioned "after hours" twice. Your story might be a reminder that if you're at a work conference with the team from work, don't do or say things that are Not Safe for Work. I have other friends, not co-workers, for NSFW discussions. If you're with co-workers, follow the guidelines you'd use for conversations with co-workers - no matter what time it is.

for comfort

[micahraleigh]

Federal civil servants just doesn't feel comfortable letting the general population know how many CPU cycles they are, ahem, re-appropriating to their activities.

They are already uneasy about people finding out how much of their data and cell bills are getting eaten up by their activities.

It's been hard enough getting enough opposition research and unmasking all the GOP bad guys. It's not their fault they couldn't do their jobs properly and get Hillary in the white house.

And now they're losing their jobs because they couldn't get their candidate in? How disappointing that must be.

So think about the comfort of the federal people entrusted with making sure their people get elected and need to hide how much of our device resources they are using.

If you don't think about that ... how selfish are you ??

Intel is changing the license.

[aliquis]

And allowing benchmark again.
And chance it was an old beta license?

Pretty sure Intel, and other, were well aware

[w1zz4]

They probably just cut corners, just like the others, in order to be able to claim better performance and optimization...

Now updated

[velinion]

Seems someone in PR realized how bad this looked, as they've updated the license: https://01.org/mcu-path-licens...

How can they enforce that?

[ripvlan]

They build a general purpose CPU - and it is owned by the person who purchases it. How can this possibly be enforced? It feels like selling car, and stating that the new owner can't drag race and post the times.

Although I read it as distinct pieces. "You" won't provide documentation to others explaining how to look inside, and also won't provide benchmark software / results, nor documentation that uses these "Secrets" to benchmark.

but some random person off the street can certainly figure it out themselves. "You" can't use your insider knowledge to help them.

It's called a DeWitt clause

[dwheeler]

Contract clauses that forbid benchmark publication (unless the vendor likes them) are called DeWitt clauses. The clause was originally created to squelch database research being performed by Dr. David DeWitt. These should be illegal, but Oracle certainly rigorously enforces them. There was a law passed in 2016 that prevented similar problems for Yelp, but DeWitt clauses haven't been struck down yet (and should be). See my post, "The DeWitt clause’s censorship should be illegal" by David A. Wheeler (2017-06-25): https://www.dwheeler.com/essay...

Re:Sorry that happened. Working at 6PM is still wo

[Highdude702]

Man I'm glad I'm in construction. I would hate to have to watch my mouth at every turn and not be able to make crude jokes.