Intel failed to disclose Meltdown and Spectre to government until flaws made public, Apple...

Posted:
in General Discussion edited February 2018
Apple, Google parent Alphabet and Intel in letters to lawmakers on Thursday revealed a bit of background information concerning the recent airing of Meltdown and Spectre chip vulnerabilities, saying Intel notified U.S. cyber security officials of the flaws only after their existence was made public.




The letters were sent to U.S. Rep. Greg Walden, chair of the House Energy and Commerce Committee Addressing, in response to questions the congressman leveled over the disclosure of Meltdown and Spectre, reports Reuters.

Specifically, Walden sought answers as to why government officials were not informed of the hardware vulnerabilities before they became public knowledge, potentially posing a threat to national security.

For its part, Intel said it decided not to inform the United States Computer Emergency Readiness Team, or US-CERT, upon learning about Meltdown and Spectre as hackers had not taken advantage of the flaws. In its letter, Intel said government officials were not notified because there was "no indication that any of these vulnerabilities had been exploited by malicious actors."

The chipmaker ultimately informed the US-CERT about the vulnerabilities on Jan. 3, a day after The Register reported on the issue and some six months after Google researchers first brought the flaws to Intel's attention.

Intel notified other tech companies of the problem last year, within the 90-day disclosure deadline offered by Google as standard practice. Google later extended that deadline to Jan. 3, then Jan. 9, according to a letter from AMD.

Meltdown and Spectre exploit a modern CPU feature called "speculative executive," a hardware design meant to improve operating speed by executing multiple instructions at the same time.

"To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed," Apple explained in a January statement. "If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software."

Though the processes are supposed to be inaccessible by applications and end users, Google researchers discovered that speculative executions could potentially be used to gain access to sensitive information stored in system memory.

Initially thought to be limited to Intel silicon, Meltdown and Spectre were found to affect all modern processors, including ARM-based chips like Apple's A-series SoCs. Shortly after initial reports went live, Apple issued a statement confirming all Mac and iOS CPUs are impacted by the security flaw.

Apple began the process of mitigating Mac vulnerabilities in December, while later software and security updates patched iOS devices in January. Additional fixes for macOS High Sierra and older Mac operating systems were also pushed out last month.

Comments

  • Reply 1 of 15
    What Intel is really saying if the government is the biggest leaky bucket around and if they told the government they were insuring the information would have found it way into the wrong hands before intel and others could fix it.
    watto_cobramac_doglongpathracerhomie3DAalsethcornchip
  • Reply 2 of 15
    Isn't that a good thing? I bet the government would try to abuse the leak way before it got public.
    tallest skilDAalsethcornchip
  • Reply 3 of 15
    SoliSoli Posts: 10,038member
    Isn't that a good thing? I bet the government would try to abuse the leak way before it got public.
    Yeah. Blabbing about it would be the most surefire way to make a potential issue into a kinetic issue.

    In its letter, Intel said government officials were not notified because there was "no indication that any of these vulnerabilities had been exploited by malicious actors." 
    cornchip
  • Reply 4 of 15
    rob53rob53 Posts: 3,289member
    Security by obscurity doesn’t work in this case. If they had notified US-CERT the vulnerability would have become public since that’s how they work. Except in those instances where they don’t—at least not until someone talks. 
  • Reply 5 of 15
    No.  Intel is stupid for not informing them.

    Does Microsoft not bother with patches and disclose until there is a major breach?

    Intel sat on their asses for months then put out “garbage” fixes because it became a PR problem.

    Google frequently puts a fire under Microsoft to fix security issues (90 days) and they are right to do so...

    IT people need to know about security vulnerabilities ASAP, to mitigate potential breaches, that goes doubly so for Government systems.


    Peope are thinking about the NSA (etc.) exploits getting out in the wild.  That’s another issue entirely.

    Instead people should consider that Chinese hackers stole stealth fighter jet designs.  What if that was NK and nukes?
    larrya
  • Reply 6 of 15
    Peope are thinking about the NSA (etc.) exploits getting out in the wild.  That’s another issue entirely. Instead people should consider that Chinese hackers stole stealth fighter jet designs.  What if that was NK and nukes?
    The refutation to your statement is political and would be deleted. Just… consider it refuted.
    edited February 2018 cornchip
  • Reply 7 of 15
    In its letter, Intel said government officials were not notified because there was "no indication that any of these vulnerabilities had been exploited by malicious actors." 

    This is must be a misquote. Can Intel’s management really be this stupid and naive. Never mind I just answered my own question. Bunch of effin retards. 
  • Reply 8 of 15
    mac_dogmac_dog Posts: 1,083member
    maestro64 said:
    What Intel is really saying if the government is the biggest leaky bucket around and if they told the government they were insuring the information would have found it way into the wrong hands before intel and others could fix it.
    Bingo! Exactly what i was thinking. Can’t trust this government for anything. 
    longpath
  • Reply 9 of 15
    I thought they told the Chinese government before .
    why is this?
  • Reply 10 of 15
    wood1208wood1208 Posts: 2,924member
    Last entity to tell such critical info is Government Cyber officials. Possibly someone might have loose lips and never know unknowingly employed foreign spies. Best, soon as company finds such critical flaw/s than implement/test fix, deploy it like normal security updates and than let the Government and rest of the world know.
  • Reply 11 of 15
    DAalsethDAalseth Posts: 2,972member

    Does Microsoft not bother with patches and disclose until there is a major breach?

    Intel sat on their asses for months then put out “garbage” fixes because it became a PR problem.

    Google frequently puts a fire under Microsoft to fix security issues (90 days) and they are right to do so...

    IT people need to know about security vulnerabilities ASAP, to mitigate potential breaches, that goes doubly so for Government systems.
    Let's take these one at a time: No, Microsoft patches their stuff once they have a patch. No point in screaming "Hey you know if you do XYZ you can take remote control of a Win10 box" until they have a way to stop it. They don't wait until there is a major breach. No, intel started working on a fix as soon as they were notified. They notified MS Apple et.al. last summer and all of them worked very hard to fix it. this is how they found out that it was not limited to Intel chips but impacted the A series as well. The problem is that this it's a hard bug to fix. The leak made that worse and Intel pushed out a patch they thought would solve it, but it had bugs because it wasn't ready yet. PR had nothing to do with this. Yes Google does apply pressure after the 90 day timeout if the company they notify does not take action. Intel and all of them started working hard to fix this tough, ground level problem immediately. That's why Google didn't go public. Intel was trying to fix it. Yes IT people need to know about security issues IF THEY CAN DO SOMETHING ABOUT THEM. This was not something that field IT people could do anything about. To let this to be publicly known, especially when there was no way to fix it, would have been the height of irresponsibility.
    edited February 2018
  • Reply 12 of 15
    DAalseth said:

    Does Microsoft not bother with patches and disclose until there is a major breach?

    Intel sat on their asses for months then put out “garbage” fixes because it became a PR problem.

    Google frequently puts a fire under Microsoft to fix security issues (90 days) and they are right to do so...

    IT people need to know about security vulnerabilities ASAP, to mitigate potential breaches, that goes doubly so for Government systems.
    Let's take these one at a time: No, Microsoft patches their stuff once they have a patch. No point in screaming "Hey you know if you do XYZ you can take remote control of a Win10 box" until they have a way to stop it. They don't wait until there is a major breach. No, intel started working on a fix as soon as they were notified. They notified MS Apple et.al. last summer and all of them worked very hard to fix it. this is how they found out that it was not limited to Intel chips but impacted the A series as well. The problem is that this it's a hard bug to fix. The leak made that worse and Intel pushed out a patch they thought would solve it, but it had bugs because it wasn't ready yet. PR had nothing to do with this. Yes Google does apply pressure after the 90 day timeout if the company they notify does not take action. Intel and all of them started working hard to fix this tough, ground level problem immediately. That's why Google didn't go public. Intel was trying to fix it. Yes IT people need to know about security issues IF THEY CAN DO SOMETHING ABOUT THEM. This was not something that field IT people could do anything about. To let this to be publicly known, especially when there was no way to fix it, would have been the height of irresponsibility.
    You’re making some false assumptions, the biggest is that if there is no fix/patch that doesn’t mean you can’t detect a potential hack and prevent the exploit of the vulnerability.

    2nd, company’s (even the size of Microsoft and Apple) have limited resources.  You can see this in Apple’s shift in declaring they wouldn’t force out their next innovation, and rather focus more resources on speed, reliability, security, etc.  

    In my opinion, those things are more important.  Google gives 90 days before going public on vulnerabilities they discover.  If Microsoft can’t fix their bugs (for example) that means there allocation of resources are out of wack with the needs of their users (including businesses).  The problem is businesses (especially public ones) prioritized profits above all else.  Google basically shames companies into doing what they should be doing anyways.

    After 90 days, either Microsoft has ignored the problem (bug) or it might be a bigger problem to fix than they estimated, and didn’t allocate the proper resources.  The same applies to Intel, etc.

    After Google makes it public, it becomes a global problem and a enormous amount of resources are dedicated to solving it.  Some IT people might be working at the firewall/router (or other intrusion prevention system), others might be working at the software level (think antivirus) to detect suspicious activity and block it.

    Rather than go on...basically governments and businesses have many other things they can do, rather than just wait for a patch/fix etc.  

    With the case of Intel’s vulnerabilities, the government needed to know immediately; finding out at the same time as hackers was incredibly stupid and dangerous.
  • Reply 13 of 15
    foggyhillfoggyhill Posts: 4,767member
    DAalseth said:

    Does Microsoft not bother with patches and disclose until there is a major breach?

    Intel sat on their asses for months then put out “garbage” fixes because it became a PR problem.

    Google frequently puts a fire under Microsoft to fix security issues (90 days) and they are right to do so...

    IT people need to know about security vulnerabilities ASAP, to mitigate potential breaches, that goes doubly so for Government systems.
    Let's take these one at a time: No, Microsoft patches their stuff once they have a patch. No point in screaming "Hey you know if you do XYZ you can take remote control of a Win10 box" until they have a way to stop it. They don't wait until there is a major breach. No, intel started working on a fix as soon as they were notified. They notified MS Apple et.al. last summer and all of them worked very hard to fix it. this is how they found out that it was not limited to Intel chips but impacted the A series as well. The problem is that this it's a hard bug to fix. The leak made that worse and Intel pushed out a patch they thought would solve it, but it had bugs because it wasn't ready yet. PR had nothing to do with this. Yes Google does apply pressure after the 90 day timeout if the company they notify does not take action. Intel and all of them started working hard to fix this tough, ground level problem immediately. That's why Google didn't go public. Intel was trying to fix it. Yes IT people need to know about security issues IF THEY CAN DO SOMETHING ABOUT THEM. This was not something that field IT people could do anything about. To let this to be publicly known, especially when there was no way to fix it, would have been the height of irresponsibility.
    You’re making some false assumptions, the biggest is that if there is no fix/patch that doesn’t mean you can’t detect a potential hack and prevent the exploit of the vulnerability.

    2nd, company’s (even the size of Microsoft and Apple) have limited resources.  You can see this in Apple’s shift in declaring they wouldn’t force out their next innovation, and rather focus more resources on speed, reliability, security, etc.  

    In my opinion, those things are more important.  Google gives 90 days before going public on vulnerabilities they discover.  If Microsoft can’t fix their bugs (for example) that means there allocation of resources are out of wack with the needs of their users (including businesses).  The problem is businesses (especially public ones) prioritized profits above all else.  Google basically shames companies into doing what they should be doing anyways.

    After 90 days, either Microsoft has ignored the problem (bug) or it might be a bigger problem to fix than they estimated, and didn’t allocate the proper resources.  The same applies to Intel, etc.

    After Google makes it public, it becomes a global problem and a enormous amount of resources are dedicated to solving it.  Some IT people might be working at the firewall/router (or other intrusion prevention system), others might be working at the software level (think antivirus) to detect suspicious activity and block it.

    Rather than go on...basically governments and businesses have many other things they can do, rather than just wait for a patch/fix etc.  

    With the case of Intel’s vulnerabilities, the government needed to know immediately; finding out at the same time as hackers was incredibly stupid and dangerous.
    Funny how I don't trust Google to be doing the same if they find the issue, 90 days. They're doubled faced and lots of what they do is self-serving.
    Security starts in actual designing their system and there they are close to pathetic: Android is a security joke

    The government and other actors likely already knew for a long time.
    In fact, it's highly probably that most intrusion occur on exploits that are hoarded by private and governmental entities for their own enrichment.

    In many cases with hardware exploits, early reveal contrary to what happens with software doesn't allow easy mitigation but simply increases the breadth of attack vectors.

    In this case, it is trying to mitigating it on the down low that revealed the existence of the issue to a wider audience, though it would have gotten out soon anyway.
    edited February 2018
  • Reply 14 of 15
    cornchipcornchip Posts: 1,954member
    How did these security issues get such sweet logos?
    DAalseth
  • Reply 15 of 15
    SoliSoli Posts: 10,038member
    cornchip said:
    How did these security issues get such sweet logos?
    LOL Good observation. I guess that says something for the scale and longevity of this HW issue that someone made logos that got adopted.
    edited February 2018
Sign In or Register to comment.