Intel Didn't Tell U.S. Government About Meltdown and Spectre Until Vulnerabilities Went Public

[MacRumors]

Intel failed to inform U.S. cyber security officials about the Meltdown and Spectre chip flaws ahead of when they leaked to the public even though Intel had advanced knowledge of the vulnerabilities, several tech companies said in letters sent out to lawmakers on Thursday.

According to Reuters, Apple and Google parent company Alphabet sent letters to Representative Greg Walden, who chairs the House Energy and Commerce Committee. Walden had previously questioned the tech companies about when the chip flaws were disclosed to Intel.

Alphabet said its Google Project Zero team informed Intel, AMD, and ARM about the chip vulnerabilities in in June and provided the three companies with 90 days to fix the problems before disclosing them.

Intel did not tell the U.S. Computer Emergency Readiness Team, aka US-CERT about the Meltdown and Spectre flaws until January 3, however, well after media reports went live. According to Intel, it did not disclose the vulnerabilities ahead of time because hackers had not exploited them.

Intel said it did not inform government officials because there was "no indication that any of these vulnerabilities had been exploited by malicious actors," according to its letter.

At the time the flaws were discovered, Intel also did not do an analysis on whether the flaws could impact critical infrastructure because it did not believe industrial control systems could be impacted, but it did inform the technology companies that use its products.

News of Meltdown and Spectre, two chip flaws that impact all modern processors, first began circulating in early January. Meltdown and Spectre take advantage of the speculative execution mechanism of a CPU, and because they are hardware-based flaws, operating system manufacturers have been forced to implement software workarounds.

Apple first addressed Meltdown and Spectre in iOS 11.2, macOS 10.13.2, and tvOS 11.2 and has since mitigated both vulnerabilities with little to no impact on device performance.

In addition to questioning by the U.S. government over its failure to share information on the security flaws, Intel is also facing at least 32 Meltdown and Spectre lawsuits

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Article Link: Intel Didn't Tell U.S. Government About Meltdown and Spectre Until Vulnerabilities Went Public

 

[826317]

Good. The government are worse than the average person dealing with these sorts of things.

 

[aaronhead14]

And why would Intel tell them? It's not the government's right to know about stuff like this right away, nor should it be.

 

[Scottsoapbox]

Of course they didn't. They wanted it to not leak early.

 

[Apple_Robert]

But the government is our friend. In fact, the government is our new parental units. The government knows best. That is why it needs to know everything when it happens.

 

[OldSchoolMacGuy]

I don't see why they'd need to. Government would just have slowed the release of such info so they'd have more time to make use of it for their own uses before news broke.

 

[longofest]

I know everyone likes to bash the US Gov, but the question on my mind is who did they decide to disclose to vs who didn't they disclose to? Did they disclose to other governments, but exclude the US Government? If so, that would have put other governments at a spy competitive advantage towards exploiting the weaknesses and gaining intelligence on US and other government assets. If they only told other companies, how were those companies selected for disclosure?

 

[coolfactor]

I know everyone likes to bash the US Gov, but the question on my mind is who did they decide to disclose to vs who didn't they disclose to? Did they disclose to other governments, but exclude the US Government? If so, that would have put other governments at a spy competitive advantage towards exploiting the weaknesses and gaining intelligence on US and other government assets. If they only told other companies, how were those companies selected for disclosure?

I'm pleasantly surprised (glad) to read the responses here.

Except this one. Why would you think they would tell other governments, but not the US government? My understanding is there was zero disclosure to anyone until it was made public.

 

[jdillings]

Intel may not have told the government until after they went public but I'm sure the NSA was already well aware of the vulnerabilities.

 

[AgentAnonymous]

Not that it would have made a difference, given how anti-technology the Trump administration circus is.

That said, Intel deserves to pay for this. They are lying through their teeth. The only reason they kept it a secret is because they didn't want to hurt their brand and subsequently their wallets. They put greed above our personal security, and also above the country's national security.

 

[fairuz]

Yeah, cause the government are idiots when it comes to computers, and they would immediately leak it. And I doubt they're gonna patch the vulnerabilities in their own systems any time soon. A lot of these agencies still run WinXP or just migrated to 7, and they're exactly the people who are so afraid of scriptkiddie tools like Metasploit becoming easier to use.

Sure, I'd like to see them exploit it to hack Russian, Iranian, and Chinese servers. But I don't think they're competent enough to exploit it in time either.

 

[farkingdom]

Not that it would have made a difference, given how anti-technology the Trump administration circus is.

That said, Intel deserves to pay for this. They are lying through their teeth. The only reason they kept it a secret is because they didn't want to hurt their brand and subsequently their wallets. They put greed above our personal security, and also above the country's national security.

They kept it a secret so that hackers will not start exploiting it until it’s properly patched.
But unfortunately it was leaked out earlier in a week before they would make the official announcement on this bug.
And why put only Intel at fault here when most of the processor (AMD and ARM) are all affected?
And where is your fact of them lying through their teeth and them being greedy? Intel hasn’t lied in anyway nor do I see them being greedy.

 

[fairuz]

They kept it a secret so that hackers will not start exploiting it until it’s properly patched.
But unfortunately it was leaked out earlier in a week before they would make the official announcement on this bug.
And why put only Intel at fault here when most of the processor (AMD and ARM) are all affected?
And where is your fact of them lying through their teeth and them being greedy? Intel hasn’t lied in anyway nor do I see them being greedy.

CEO sold a ton of his shares while it was still secret.

 

[NoNothing]

Not that it would have made a difference, given how anti-technology the Trump administration circus is.

That said, Intel deserves to pay for this. They are lying through their teeth. The only reason they kept it a secret is because they didn't want to hurt their brand and subsequently their wallets. They put greed above our personal security, and also above the country's national security.

I can’t agree with a single word in your comment.

This was only a flaw AFTER someone figured out how to exploit it. Both Meltdown and Spectre are amazingly simple, but sophisticated, attacks. Simple in it only takes a few lines of assembly. Sophisticated in it took people with a deep understanding to figure out the exploit. There is a reason it took decades to be figured out.

Once found, mitigation has to be planned. This is not a simple software fix, however, and impacts years of chip designs from multiple companies and architectures. First you have to see if the micro-code can be patched and if not you need to figure out how to patch the OS’s using your chip. There are teams and lines of communication setup to discuss these issues. The players then say “we need x days/weeks/months to design, implement and test a fix”

UNDER NO CIRCUMSTANCE WOULD YOU DISCLOSE THUS BUG BEFORE MITIGATJON IS IN PLACE OR READY.

 

[Wags]

They kept it a secret so that hackers will not start exploiting it until it’s properly patched.
But unfortunately it was leaked out earlier in a week before they would make the official announcement on this bug.
And why put only Intel at fault here when most of the processor (AMD and ARM) are all affected?
And where is your fact of them lying through their teeth and them being greedy? Intel hasn’t lied in anyway nor do I see them being greedy.

Not greedy? Like the barrage of stock option sales before news went public

 

[Phonephreak]

Not that it would have made a difference, given how anti-technology the Trump administration circus is.

That said, Intel deserves to pay for this. They are lying through their teeth. The only reason they kept it a secret is because they didn't want to hurt their brand and subsequently their wallets. They put greed above our personal security, and also above the country's national security.

Kinda like Apple needs to pay for lying to the public about their “power management”. Of course don’t forget about telling customers that their battery’s were good.

 

[naujoks]

Who should they have told? Trump?

 

[Macaholic868]

It’s long since time we passed laws that put the people behind bars who pull this crap instead of invoking corporate personhood and making the corporation plead guilty to some crime that results in paying a fine so puny the C level executive laugh while they cash their million dollar bonus checks.

 

[NT1440]

So in a country in absolute hysterics over “hacking” the overall sentiment in the thread is that the US government shouldn’t have been informed.

My thoughts on the surveillance state aside I’ll dangle the low hanging fruit:

What if no disclosure gave the big scary Russians the ability to hack into our intelligence apparatus....seeing as most of it runs on hardware effected by these flaws?

 

[AgentAnonymous]

I can’t agree with a single word in your comment.

This was only a flaw AFTER someone figured out how to exploit it. Both Meltdown and Spectre are amazingly simple, but sophisticated, attacks. Simple in it only takes a few lines of assembly. Sophisticated in it took people with a deep understanding to figure out the exploit. There is a reason it took decades to be figured out.

Once found, mitigation has to be planned. This is not a simple software fix, however, and impacts years of chip designs from multiple companies and architectures. First you have to see if the micro-code can be patched and if not you need to figure out how to patch the OS’s using your chip. There are teams and lines of communication setup to discuss these issues. The players then say “we need x days/weeks/months to design, implement and test a fix”

UNDER NO CIRCUMSTANCE WOULD YOU DISCLOSE THUS BUG BEFORE MITIGATJON IS IN PLACE OR READY.

Letting the US national security teams know isn't "disclosing the bug". That's something they would do while the fix (if any) is being worked on.

 

[TheIntruder]

It's obvious that many don't know what US CERT is, or the function it performs.

Guess what, people don't have to become injured or die before NHTSA becomes involved either, which is essentially what Intel's reasoning is.

 

[bladerunner2000]

Knowing Trump and other Republicans are running the Government, I wouldn't tell those psuedo-politicians either.

 

[-BigMac-]

Maybe Intel is called Intel because it’s main purpose through its loopholes is to collect intel for the governments

 

[ThunderSkunk]

Intel failed to inform U.S. cyber security officials

Eh. The US gov is on autopilot anyway, during the current smash & grab in progress. For all anyone knows they tried to call but had the misfortune of dialing the State Dept, where only the janitor is still on hand to answer the phone.

 

[Naaaaak]

Intel may not have told the government until after they went public but I'm sure the NSA was already well aware of the vulnerabilities.

The NSA and other nameless intelligence services probably directed the inclusion of Meltdown and Spectre years ago for their own benefit.

What other vulnerabilities have they managed to sneak in that no one else knows about yet? Corporate espionage and sabotage via intelligence services is a thing.