Congress questions Apple, others over decision to keep Meltdown and Spectre details secret...

Posted:
in General Discussion edited January 25
In letters sent to the CEOs of major tech companies on Wednesday, including Apple CEO Tim Cook, the U.S. House Energy and Commerce Committee asks why an agreement was made to keep details of the Meltdown and Spectre chip flaws secret until their public disclosure this month.




The congressional committee seeks answers from Apple, Amazon, AMD, ARM, Google, Intel and Microsoft, each of which released fixes for the hardware vulnerabilities over the past weeks, CNBC reports. A copy of the letter was posted online (PDF link) for public review earlier today.

As noted by the committee, a handful of tech firms, namely large entities directly impacted by Meltdown and Spectre, were informed of the vulnerabilities in June 2017 by Google's Project Zero team. These companies agreed to an "information embargo" originally set to expire on Jan. 9, 2018, when a majority of planned software mitigations would by that point be distributed.

However, details of Meltdown and Spectre began to leak earlier than expected, with major news organizations reporting on the issue as early as Jan. 2. The sooner-than-expected disclosure forced tech firms to accelerate work on their respective mitigation initiatives, the letter claims.

"Though this schedule adjustment has not seemed to overly impact the effectiveness of the response, it does raise questions related to the effects and appropriateness of the embargo on companies not originally included in the June 2017 disclosure, and who were caught off-guard by the January 4 announcement," committee representatives Greg Walden, Marsha Blackburn, Robert Latta and Gregg Harper said in the letter.

Meltdown and Spectre are hardware vulnerabilities that affect nearly every modern microprocessor, including those designed and manufactured by Intel, AMD and Apple. Discovered by Google researcher Jann Horn, the flaws rely on a common performance feature called speculative execution to potentially glean sensitive information like passwords from system memory without a user's knowledge.

The letter raises questions as to whether the collective decision to remain mum on the subject negatively impacted companies, end users and other organizations not privy to the original disclosure. More pointedly, the committee says the recent events call for greater scrutiny of coordinated cybersecurity embargoes.

"While we acknowledge that critical vulnerabilities such as these create challenging tradeoffs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," the letter reads.

For its part, Apple began the process of mitigating Mac vulnerabilities in December, with later software and security updates patching iOS devices early this month. Most recently, the company issued additional fixes for macOS High Sierra and older Mac operating systems on Tuesday.

The committee requests each CEO respond to a series of nine questions by Feb. 7.

Comments

  • Reply 1 of 8
    maestro64maestro64 Posts: 4,147member
    So the bad guys could not use it before the industry could figure out a fix. Yeah that was not completely obvious to the fine people our government hires.
    MisterKitbaconstangmattinozcornchipberndoghattigSpamSandwich
  • Reply 2 of 8
    "We told the FBI and CIA.   We assumed they would inform Congress and the information would be leaked like every other secret.  Is that not the process? -Tim


    ;)
    baconstangmattinozcornchipberndogjony0Rayz2016SpamSandwichrepressthis
  • Reply 3 of 8
    Captain Obvious meet Captain Oblivious 
    berndogjony0Rayz2016
  • Reply 4 of 8
    dewmedewme Posts: 1,404member
    Most of the questions being asked by the committee are completely legitimate, especially those related to how and when US-CERT was notified and engaged. For the most part the questions and inquiries are seeking to collect more information in order to perform an accurate retrospective. My hope is that this incident will be used to help inform and refine the overall process and to make sure it is working effectively to quickly protect critical assets when a serious threat is identified anywhere in the critical asset sourcing stream, e.g., microprocessors and chipsets that are components of critical IT and control systems. It's not altogether obvious to me at least whether a company that's making smartphones, music players, tablet computers, and selling music streaming subscriptions is going to have a clear understanding of how security issues related to their components or products fit into the federal cybersecurity incident reporting requirements managed via US-CERT and other federal agencies. Any lingering ambiguity needs to be cleared up and awareness of US-CERT requirements needs to be extended further out into the technology provider space to include companies like the ones getting letters. This should be treated as a learning opportunity to further improve public-private sector cybersecurity collaboration and not a blame & shame game. Fingers crossed.
    Habi_tweetjony0
  • Reply 5 of 8
    zimmiezimmie Posts: 150member
    maestro64 said:
    So the bad guys could not use it before the industry could figure out a fix. Yeah that was not completely obvious to the fine people our government hires.
    The problem is tons of vendors weren't notified ahead of time so they could patch their software. The BSD teams (Free, Net, Open, &c.), Illumos, and more got nothing until public disclosure. This ventures into anticompetitive behavior territory because several of these organizations compete with some of the vendors who were notified. For example, Joyent is one of the original "cloud" providers. They hosted Twitter before Twitter was able to forecast growth. Google notified Amazon and Microsoft, which are their competitors, but they did not notify Joyent.
  • Reply 6 of 8
    maestro64maestro64 Posts: 4,147member
    zimmie said:
    maestro64 said:
    So the bad guys could not use it before the industry could figure out a fix. Yeah that was not completely obvious to the fine people our government hires.
    The problem is tons of vendors weren't notified ahead of time so they could patch their software. The BSD teams (Free, Net, Open, &c.), Illumos, and more got nothing until public disclosure. This ventures into anticompetitive behavior territory because several of these organizations compete with some of the vendors who were notified. For example, Joyent is one of the original "cloud" providers. They hosted Twitter before Twitter was able to forecast growth. Google notified Amazon and Microsoft, which are their competitors, but they did not notify Joyent.

    Yeah lot of people were not told and look what happen when a few only knew some idiot leak it out before the companies who could fix the issue had time to address the problem. I suspected they big guys like Apple, Intel and Microsoft who control the mass majority to the computer and communication infrastructure needed time to come up with solutions once they had a fix they could share they information with everyone else and they all could roll out similar fix. Considering how big of an issue this was, less people knowing was better until s fix could be rolled out. 
  • Reply 7 of 8
    What about older devices not updated???

    Any Mac w/Mac OS X 10.10 or earlier on it.

    iPad Mini 1st gen.

    ? millions of ATV 3's currently in use...shall I go on?
  • Reply 8 of 8
    ivanhivanh Posts: 169member
    "We told the FBI and CIA.   We assumed they would inform Congress and the information would be leaked like every other secret.  Is that not the process? -Tim


    ;)
    Obviously back doors thst bad governments love!
Sign In or Register to comment.