That would be a defective door, not a door that works as intended.
A closer analogy: You bought a door with 50 security features, but then someone found a very clever way to break in anyway. (But they didn't actually break in, they just wrote a white paper describing the method.). All 50 security features still work correctly, and your door still works correctly. But you want to sue because the door company didn't provide the 51st security feature that no one in the world ever thought was needed when your door was designed.
If plaintiffs don’t have any claim they were harmed, the judge should dismiss. It doesn’t have to be proven that no harm occurred. If it's an open question with evidence and argument on both sides, then judge won't dismiss.
Class action lawsuits are about lawyers getting paid. In order for lawyers to get paid more, they have to say Intel did the wrong thing. Therefore, Intel did the wrong thing, regardless. If they waited, it's wrong. If they didn't wait, it's wrong. If they both waited and didn't wait, it's doubly wrong. Because money for lawyers.
The people who have to reserve more cloud instances or otherwise scale up their hardware after patching for this are going to have large bills they can point to which will provide the economic harm you claim is missing.
Lawsuits are for past harm. You can't speculatively recover damages you might or might not experience someday.
If you really get a 5%-30% decrease in performance, it wouldn't be crazy for users to expect some kind of compensation for this.
How can a court let the lawsuits go forward without evidence that it's 1% or 30%? If these lawsuits were about just compensation rather than about lawyers getting paychecks, you'd already know whether you were harmed and by how much.
Give me a way to turn the new security features off, or give me a 5%-30% refund.
Since there are zero cases where the flaw has been exploited to cause any problems, no one has suffered any economic harm. You need to have been harmed in some way to have standing to sue.
And Intel will also argue that they never promised any different chip behavior. They are not issuing any errata. The chips work correctly as designers intended, just like other vendors’ chips.
I expect at least a couple of these lawsuits to be thrown out by judges. Maybe all of them will be dismissed.
...but they earn (most) of that money.... Companies tend to settle class action suits because of the negative PR, not because of the merits of the case.
I believe lawyers do work that they expect to be paid for. But the class action system is inherently unjust. Courts shouldn't exist primarily to get paychecks for lawyers. Lawyers end up getting paychecks and everyone else ends up paying more for everyday items. It doesn't end up serving any just purpose.
Companies like Intel try hard to make good products -- because customers don't like paying up for junk. The class actions won't significantly affect their financials. No one will get fired. No one will make any different engineering decisions because of the class action lawsuit. People who bought Intel processors won't get much value from a settlement award. Lawyers benefit by getting paychecks, and that's about it.
We have 4% unemployment. Lawyers should do economically productive work instead of using the rules to rearrange money other people earned (by doing productive work) into their pockets.
Bruce Schneier thus says if you want security, you need to make it as absolutely simple as possible.
If the simple way is too slow, then you sometimes have to try something else less simple. I guess I don't believe it's impossible, but you've made the case that it's very difficult.
Even the openBSD team that is obsessive with security hasn't found a way to stop them.
There should be a way to mathematically prove a section of code is secure. If there is, then that would imply an answer exists. Perhaps it's too difficult or the result is even slower than the alternative too-slow implementation.
I can't find the answer to my question there. Even if I read it carefully, I don't know if it would have the answer.
The short story is that there is no fix to stop any process from reading the entire memory contents of the machine. You need to replace the Intel processor with processor that doesn't have this flaw to fix this problem.
Too many people are working on OS changes for that to be believable. If an OS change is irrelevant, then why bother implementing it?
It doesn’t (unless it does some of the gmail password handling somehow). It knows about its own internal sensitive data. I thought that was what was exposed.
Also, I was asking because I don’t know exactly how all this works. If you do, then maybe answer...? If you don’t, then maybe someone else will explain it to both of us.
Can’t the kernel just hide the password handling and crypto stuff in a separate address space and use the regular method for the boring stuff? Then cache-flushing would only need to happen sometimes rather than every time. Aren’t some big parts of the kernel “who cares if this data is exposed”?
For Uber to be viable the rates really do need to head towards taxi rates or in some cases above taxi rates, so the idea that people never have to go back to taxis is ludicrous as Uber will fail even after an IPO if they continue on the current path.
Rates will rise a little, but the first major wave of self driving cars (in about 3-4 years) will be used for Uber or a similar service. The autonomous cars will drive specific routes and you'll get a driver for harder routes. Long term, rates will actually go down. In many cases, rides to commercial establishments will be free, just like the bus to the casino is free.
Taxis will continue to decline and eventually disappear completely.
- HTC is doing better now that they sold their phone business to Google. We'll see if Google messes up like they did with Motorola. - Uber will be fine. They'll IPO in 2020 at more than $20 Billion in valuation. That'll be a huge disappointment for Uber investors, but the world never has to go back to the taxi. - Twitter will be like Yelp. Not a great business, but an ongoing one. - Faraday and Karma and a bunch of other hyped electric car businesses will fail and get absorbed into Fiat or some other non-US car maker. But maybe not in 2018. Tesla will keep going. - Gearbox has Borderlands 3 in 2018. It should be a huge success if they don't pull an EA and accidentally cut their own throats. - Apple will prove critics wrong again by selling more iPhone X units than expected. Apple profitability will be helped by AirPod and Watch sales. New products in 2018 will be good. Critics will continue to be wrong. - Cisco, Apple, Intel, Oracle, and Microsoft will all announce a special dividend for stockholders and huge stock buybacks, paid for by funds finally brought back from overseas. - Slashdot will continue to be a politics and Internet-complaint site that occasionally mentions technology topics. - Facebook use will see year over year usage declines in the US - Silicon Valley culture will continue to be authoritarian as it relates to politically correctness. Calling people racist is the only marketable skill some people have. - Red Dead Redemption 2 will be the biggest entertainment release of the year, bigger than any other game, book, movie, TV show, sporting event, or music release. It will be an amazing world. The story will be very good, but not as good as Red Dead Redemption.
Why would more customers travel to a bad neighborhood and risk arrest and disease using illegal hookers when there's a local, convenient, certified clean alternative?
Slashdot Mirror
So skip the patch download then.
That would be a defective door, not a door that works as intended.
A closer analogy: You bought a door with 50 security features, but then someone found a very clever way to break in anyway. (But they didn't actually break in, they just wrote a white paper describing the method.). All 50 security features still work correctly, and your door still works correctly. But you want to sue because the door company didn't provide the 51st security feature that no one in the world ever thought was needed when your door was designed.
If plaintiffs don’t have any claim they were harmed, the judge should dismiss. It doesn’t have to be proven that no harm occurred. If it's an open question with evidence and argument on both sides, then judge won't dismiss.
Class action lawsuits are about lawyers getting paid. In order for lawyers to get paid more, they have to say Intel did the wrong thing. Therefore, Intel did the wrong thing, regardless. If they waited, it's wrong. If they didn't wait, it's wrong. If they both waited and didn't wait, it's doubly wrong. Because money for lawyers.
false. lawsuits can be for false claims (regarding protection and separation of memory)
I'm sure Intel will argue they made no false claims of perfect, unhackable security.
increased risk
Increased from what? Computers have always worked this way, going back to 1995. The risks are no different today than a year ago.
mitigation costs
Google and Amazon might have mitigation costs. But Google and Amazon aren't a plaintiff class for a class action.
Don't worry though. I'm sure the lawyers will get paid. That's why we have a court system for class action lawsuits: so lawyers can get paychecks.
The people who have to reserve more cloud instances or otherwise scale up their hardware after patching for this are going to have large bills they can point to which will provide the economic harm you claim is missing.
Lawsuits are for past harm. You can't speculatively recover damages you might or might not experience someday.
If you really get a 5%-30% decrease in performance, it wouldn't be crazy for users to expect some kind of compensation for this.
How can a court let the lawsuits go forward without evidence that it's 1% or 30%? If these lawsuits were about just compensation rather than about lawyers getting paychecks, you'd already know whether you were harmed and by how much.
Give me a way to turn the new security features off, or give me a 5%-30% refund.
No one is forcing you to download the fixes.
Lawsuits are for harm, not for worries about harm that might happen someday.
Since there are zero cases where the flaw has been exploited to cause any problems, no one has suffered any economic harm. You need to have been harmed in some way to have standing to sue.
And Intel will also argue that they never promised any different chip behavior. They are not issuing any errata. The chips work correctly as designers intended, just like other vendors’ chips.
I expect at least a couple of these lawsuits to be thrown out by judges. Maybe all of them will be dismissed.
...but they earn (most) of that money. ... Companies tend to settle class action suits because of the negative PR, not because of the merits of the case.
I believe lawyers do work that they expect to be paid for. But the class action system is inherently unjust. Courts shouldn't exist primarily to get paychecks for lawyers. Lawyers end up getting paychecks and everyone else ends up paying more for everyday items. It doesn't end up serving any just purpose.
Companies like Intel try hard to make good products -- because customers don't like paying up for junk. The class actions won't significantly affect their financials. No one will get fired. No one will make any different engineering decisions because of the class action lawsuit. People who bought Intel processors won't get much value from a settlement award. Lawyers benefit by getting paychecks, and that's about it.
We have 4% unemployment. Lawyers should do economically productive work instead of using the rules to rearrange money other people earned (by doing productive work) into their pockets.
It's what Intel guys said on their conference call yesterday. I have not independently verified whether it's true.
Not interested in (bad) analogies. I can’t download a fence. And my house doesn’t have a 3 year replacement cycle.
This is a good answer, thanks. But...
Bruce Schneier thus says if you want security, you need to make it as absolutely simple as possible.
If the simple way is too slow, then you sometimes have to try something else less simple. I guess I don't believe it's impossible, but you've made the case that it's very difficult.
Even the openBSD team that is obsessive with security hasn't found a way to stop them.
There should be a way to mathematically prove a section of code is secure. If there is, then that would imply an answer exists. Perhaps it's too difficult or the result is even slower than the alternative too-slow implementation.
Actually Google has a really good overview: https://googleprojectzero.blog...
Saw that. It needs an executive summary.
I can't find the answer to my question there. Even if I read it carefully, I don't know if it would have the answer.
The short story is that there is no fix to stop any process from reading the entire memory contents of the machine. You need to replace the Intel processor with processor that doesn't have this flaw to fix this problem.
Too many people are working on OS changes for that to be believable. If an OS change is irrelevant, then why bother implementing it?
Let's see... today I need to buy a Horse, Battery, and Staples. Correct.
https://xkcd.com/936/
That's my Alexa password. Every week I have to return 7 more horse batteries to Amazon.
It doesn’t (unless it does some of the gmail password handling somehow). It knows about its own internal sensitive data. I thought that was what was exposed.
Also, I was asking because I don’t know exactly how all this works. If you do, then maybe answer...? If you don’t, then maybe someone else will explain it to both of us.
Can’t the kernel just hide the password handling and crypto stuff in a separate address space and use the regular method for the boring stuff? Then cache-flushing would only need to happen sometimes rather than every time. Aren’t some big parts of the kernel “who cares if this data is exposed”?
I’m asking because I don’t know.
They’re changing the microcode to provide a mechanism for the OS kernel to implement the fix. They work together.
You'll get a $2 off coupon for a new CPU. $100 million for the lawyers
Easiest, cheapest answer: landfills.
For Uber to be viable the rates really do need to head towards taxi rates or in some cases above taxi rates, so the idea that people never have to go back to taxis is ludicrous as Uber will fail even after an IPO if they continue on the current path.
Rates will rise a little, but the first major wave of self driving cars (in about 3-4 years) will be used for Uber or a similar service. The autonomous cars will drive specific routes and you'll get a driver for harder routes. Long term, rates will actually go down. In many cases, rides to commercial establishments will be free, just like the bus to the casino is free.
Taxis will continue to decline and eventually disappear completely.
Buying lunch isn't like buying a farm.
- HTC is doing better now that they sold their phone business to Google. We'll see if Google messes up like they did with Motorola.
- Uber will be fine. They'll IPO in 2020 at more than $20 Billion in valuation. That'll be a huge disappointment for Uber investors, but the world never has to go back to the taxi.
- Twitter will be like Yelp. Not a great business, but an ongoing one.
- Faraday and Karma and a bunch of other hyped electric car businesses will fail and get absorbed into Fiat or some other non-US car maker. But maybe not in 2018. Tesla will keep going.
- Gearbox has Borderlands 3 in 2018. It should be a huge success if they don't pull an EA and accidentally cut their own throats.
- Apple will prove critics wrong again by selling more iPhone X units than expected. Apple profitability will be helped by AirPod and Watch sales. New products in 2018 will be good. Critics will continue to be wrong.
- Cisco, Apple, Intel, Oracle, and Microsoft will all announce a special dividend for stockholders and huge stock buybacks, paid for by funds finally brought back from overseas.
- Slashdot will continue to be a politics and Internet-complaint site that occasionally mentions technology topics.
- Facebook use will see year over year usage declines in the US
- Silicon Valley culture will continue to be authoritarian as it relates to politically correctness. Calling people racist is the only marketable skill some people have.
- Red Dead Redemption 2 will be the biggest entertainment release of the year, bigger than any other game, book, movie, TV show, sporting event, or music release. It will be an amazing world. The story will be very good, but not as good as Red Dead Redemption.
Why would more customers travel to a bad neighborhood and risk arrest and disease using illegal hookers when there's a local, convenient, certified clean alternative?
What if it only stops half of it?