Slashdot Mirror
Intel Publishes Microcode Security Patches With No Benchmarks Or Profiling Allowed (theregister.co.uk)
Long-time Slashdot reader Bruce Perens writes: The Register reports that Debian is rejecting a new Intel microcode update because of a new license term prohibiting the use of the CPU for benchmarks and profiling.
There is a new license term applied to the new microcode: "You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; (ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change or create derivative works from the Software except and only to the extent as specifically required by mandatory applicable laws or any applicable third party license terms accompanying the Software; (iii) use or make the Software available for the use or benefit of third parties; or (iv) use the Software on Your products other than those that include the Intel hardware product(s), platform(s), or software identified in the Software; or (v) publish or provide any Software benchmark or comparison test results." UPDATE:: Intel has reworked the license to no longer prohibit benchmarking. Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, tweeted on Thursday: "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community."
The security fixes are known to significantly slow down Intel processors, which won't just disappoint customers and reduce the public regard of Intel, it will probably lead to lawsuits (if it hasn't already). Suddenly having processors that are perhaps 5% to 10% slower, if they are to be secure, is a significant damage to many companies that run server farms or provide cloud services. I'm not blaming Intel for this, I don't know if Intel could have foreseen the problem. Since some similar exploits have been discovered for AMD and ARM CPUs, the answer could be "no." But certainly customers are upset.
Another issue is whether the customer should install the fix at all. Many computer users don't allow outside or unprivileged users to run on their CPUs the way a cloud or hosting company does. For them, these side-channel and timing attacks are mostly irrelevant, and the slowdown incurred by installing the fix is unnecessary.
So, lots of people are interested in the speed penalty incurred in the microcode fixes, and Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license. Bad move. The correct way to handle security problems is to own up to the damage, publish mitigations, and make it possible for your customers to get along. Hiding how they are damaged is unacceptable. Silencing free speech by those who would merely publish benchmarks? Bad business. Customers can't trust your components when you do that.
There is a new license term applied to the new microcode: "You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; (ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change or create derivative works from the Software except and only to the extent as specifically required by mandatory applicable laws or any applicable third party license terms accompanying the Software; (iii) use or make the Software available for the use or benefit of third parties; or (iv) use the Software on Your products other than those that include the Intel hardware product(s), platform(s), or software identified in the Software; or (v) publish or provide any Software benchmark or comparison test results." UPDATE:: Intel has reworked the license to no longer prohibit benchmarking. Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, tweeted on Thursday: "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community."
The security fixes are known to significantly slow down Intel processors, which won't just disappoint customers and reduce the public regard of Intel, it will probably lead to lawsuits (if it hasn't already). Suddenly having processors that are perhaps 5% to 10% slower, if they are to be secure, is a significant damage to many companies that run server farms or provide cloud services. I'm not blaming Intel for this, I don't know if Intel could have foreseen the problem. Since some similar exploits have been discovered for AMD and ARM CPUs, the answer could be "no." But certainly customers are upset.
Another issue is whether the customer should install the fix at all. Many computer users don't allow outside or unprivileged users to run on their CPUs the way a cloud or hosting company does. For them, these side-channel and timing attacks are mostly irrelevant, and the slowdown incurred by installing the fix is unnecessary.
So, lots of people are interested in the speed penalty incurred in the microcode fixes, and Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license. Bad move. The correct way to handle security problems is to own up to the damage, publish mitigations, and make it possible for your customers to get along. Hiding how they are damaged is unacceptable. Silencing free speech by those who would merely publish benchmarks? Bad business. Customers can't trust your components when you do that.
with these security patches installed, m'ladies
Making a bad situation, worse.
And the bigger question why is he not posting spam and dups like the rest of slashdot editors?
Only buy AMD.
Anons need not reply. Questions end with a question mark.
You do not own a computer chip you are a slave to the software necessary for it to run which is locked down. HACK ON they deserve what they are about to reap! Reversing chips is how most of the locked down hardware was made available to Linux users for most of the early history of the kernel. Intel now wants a total lock down.... SCREW THEM
This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
So Intel, as a condition of using your patch to fix the broken shit you sold us, you don't want us to use the patch to empirically determine just how broken your shit was, or else you'll sue us?
I've got the message loud and clear: you're crooked dirtbags.
I don't think I'll be sending any money your way in future.
The Machine stops.
The reason they did this is because it slows performance to what I would call a painful crawl. I would post the benchmarks to quantify and prove it but it's not allowed.
Anons need not reply. Questions end with a question mark.
"This time for sure!"
I've had an AMD-64 microcode patch sitting in my update manager for a week or so. I think I'll wait a little longer to apply it,
I don't like being the first wave of test monkeys.
"(v) publish or provide any Software benchmark or comparison test results. "
However, there is also a clause that says if you download the tgz you accept the license automatically. So, the act of downloading to read thatlicense means you have agreed will not publish benchmarks.
Orationem pulchram non habens, scribo ista linea in lingua Latina
Well kudos to Debian. I am very disappointed in seeing Red Hat, SUSE in saying the licence is fine.
Just goes to show you how close to Windows the big commercial Linux Distro are moving.
I hope that the part of Intel with some sense will wake up to what that other part of Intel is doing and fix this, quickly. When there is a company that big, it has a multiple personality disorder. Obviously this time somebody didn't think through the implications of their legal language.
Bruce Perens.
what I took away was "Go buy an AMD processor".
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
The link at "a new license term" is to a license for a different product. I'm sure I didn't write that :-)
Bruce Perens.
Someone at Intel might want to read about the Streisand effect.
Pretty sure that the shrink-wrap license issue was already tested in court and lost--completely unenforceable.
Yes. I didn't write that link. The proper text can be found here.
Bruce Perens.
Well, the good lawyers call me when they do stuff like this. Or someone like me who can read a license and knows how a CPU is built. I have saved a few from mis-stating themselves.
Bruce Perens.
So.....
Anyone got a link to some benchmarks?
That doesn't make it enforceable.
And what will the penalty be? Pay them back the price of the patch?
The interesting part would be if someone installed the patch, ran the benchmarks, published the results and then Intel sued them for an imputed loss of sales.
Have gnu, will travel.
"In a time of universal deceit, telling the truth is a revolutionary act. George Orwell"
In a time of universal deceit, telling the truth is a total fracking waste of time.
Yes, I'm afraid it's come to this.
"Many computer users don't allow outside or unprivileged users to run on their CPUs"
Your browser is running some outside unprivileged JavaScript for almost every page you visit. One of the exploits was specifically described for JavaScript running in a browser.
You don't even need to be able to execute code. Even code that would traditionally be considered harmless could potentially be used for side channel attacks if you e.g. control the input data. That invoice your ISP sent you as a PDF could potentially use a harmless piece of code inside Adobe Reader to do something harmful.
The fact that it has not been demonstrated yet does not mean it can't be done.
Intel is AMAZINGLY self-destructive, IMO!
Intel says this: Intel's Brian Krzanich is forced out as CEO after 'consensual relationship' with employee. Another story: New details emerge on the office affair that led to Intel CEO Brian Krzanich's surprising resignation on Thursday.
Do you believe this quote? "The office affair which sparked Intel CEO Brian Krzanich's surprise resignation on Thursday started a decade ago and ended before he became CEO in 2013, The Wall Street Journal reported."
I'm guessing that Intel is trying to hide the real reasons that CEO Brian Krzanich is no longer CEO: 1) The Sceptre and Meltdown vulnerabilities in nearly all Intel CPUs, problems that began with former CEO Paul S. Otellini. 2) He used inside information to profit: Intel was aware of the chip vulnerability when its CEO sold off $24 million in company stock.
The new Intel CEO is Robert Swan. He joined Intel in September 2016 as CFO.
One of the most self-destructive acts is to appear to lie. Then everything else is examined as also possibly a lie.
For the tealdeer crowd, the relevant portion starts on line 71.
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
The intel-microcode packages for Debian are in the non-free repository. I'll make a point not to take legal advice from you.
So Intel is saying if you want to benchmark to decide if you want to join the class action, you can't provide a detailed reason that you're joining the class? Lawsuits are a matter of public record - a judge is going to laugh at that kind of restriction. How does Intel expect it's going to enforce this?
Let's see a million people tweet their slowdown measurements and then it'll be Intel Legal's move. Somebody come up with the hashtag.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
ATI had horrible and buggy drivers too, what happened to them?
You can ignore stupid shit like this. Intel can sue for you for looking cross eyed if they wanted to. It does not mean that they will win even if you lose everything defending yourself from it.
No company can legally require a person this kind of performative obedience under any circumstance as a sold product like this. Additionally, there have already been cases where judges have rendered TOS/EULA agreements as total bullshit and unenforceable. Especially after a sale has already been completed, just look at the Sony Linux feature removal class action on the PS3 that cost them millions.
That said, it could still be a nightmare to deal with but that is the nature of SLAP lawsuits to begin with. The intention is not to win, but to financially drain you into a loss or to scare people... mainly the websites publishing benchmark data.
One wrong move by Intel and they will be facing the same kind of fucking class action lawsuit themselves. Everyone should slap so many fucking benchmarks online that intels heads spin!
The license also mentions NDA's and Pre-Release agreements
Looks like license they would include with pre-release/beta software.
7. CONFIDENTIALITY. The terms and conditions of this Agreement, exchanged
confidential information, as well as the Software are subject to the terms and
conditions of the Non-Disclosure Agreement(s) or Intel Pre-Release Loan
Agreement(s) (referred to herein collectively or individually as "NDA") entered
into by and in force between Intel and You, and in any case no less
confidentiality protection than You apply to Your information of similar
sensitivity. If You would like to have a contractor perform work on Your behalf
that requires any access to or use of Software, You must obtain a written
confidentiality agreement from the contractor which contains terms and
conditions with respect to access to or use of Software no less restrictive
than those set forth in this Agreement, excluding any distribution rights and
use for any other purpose, and You will remain fully liable to Intel for the
actions and inactions of those contractors. You may not use Intel's name in any
publications, advertisements, or other announcements without Intel's prior
written consent.
Techspot just published some very extensive benchmarks ( https://www.techspot.com/review/1683-linux-vs-windows-threadripper-vs-core-i9/ ) that make AMD's Threadripper 2990WX look significantly faster than Intel's i9-7980XE in a lot of the particular tests. Interestingly they did most (all?) of the tests with Linux and Windows 10 on both CPU's and Linux also seemed to do better to various degrees (a little to a lot).
I suppose we could assume this patch will increase the AMD performance margin, depending on the particular test, so why bother with worrying about how much more the patch hurts the Intel - just assume it will perform even worse, and buy accordingly, eh?
R O
we can file an copyright claim / dmca take down or even an press theft changes some of our cpus are over $1K-5K each so that is grand larceny.
Now an real lawyer can kill that BS but some small guys may just back down vs $$$ to defending them form the big boys at intel.
Whoops, this is basically an ad for Ryzen.
When all you have is a hammer, every problem starts to look like a thumb.
Since you cannot run the benchmark (in this case due to legal restrictions) just write FAIL* next to it. Then put the actual values for AMD, VIA and DMP CPUs. Once a few dozen articles get published where even DMP beats Intel's most expensive chips, they will wake up.
* FAIL means that the chip was unable to complete the benchmark due to faulty engineering or legal restrictions.
This really fits with the Manifort/Cohen news, but it's on point, nonetheless.
I wonder why the new /. owners haven't allowed a story on that? :)
Truth isn't Truth - Guliani
Phoronix seems to have disregarded that part and published some benchmarks anyway. https://www.phoronix.com/scan....
Intel accused of age discrimination (May 28, 2018) Subtitle: "US federal investigators are looking into Intel's layoffs of 12,000 employees since 2016."
Judging from personal conversations with Intel employees and comments on web sites, Intel is badly managed:
Quote from thelayoff.com, Nov. 23, 2017:
"As a person who worked there several times as contract employee, which makes up most of the workforce. I have seen this happen many times, where older and higher paid blue badges get shown the door, and sometimes escorted out like criminals. This has created a paranoid environment among those who are left, so everyone starts back stabbing each other because they don't want to be the next one to be booted. And creates animosity to the contract workers who are treated like crap. So any workplace cohesion gets thrown out the window, because everyone is circling their prospective wagons."
Contract clauses that forbid benchmark publication (unless the vendor likes them) are called DeWitt clauses. The clause was originally created to squelch database research being performed by Dr. David DeWitt. These should be illegal, but Oracle certainly rigorously enforces them. There was a law passed in 2016 that prevented similar problems for Yelp, but DeWitt clauses haven't been struck down yet (and should be). See my post, "The DeWitt clause’s censorship should be illegal" by David A. Wheeler (2017-06-25): https://www.dwheeler.com/essay...
- David A. Wheeler (see my Secure Programming HOWTO)