NSA Denies Prior Knowledge Of Meltdown, Spectre Exploits; Claims It Would 'Never' Harm Companies By Withholding Vulns

from the lol-ok-then dept

News surfaced late last week indicating everything about computing is fucked. Two critical flaws with zero perfect fixes — affecting millions of processors — were exposed by security researchers. Patches have been deployed and more are on their way, but even the best fixes seem to guarantee a noticeable slowdown in processing speed.

The government has stepped up to say that, for once, it’s not involved in making computing less safe.

Current and former U.S. officials… said the NSA did not know about or use Meltdown or Spectre to enable electronic surveillance on targets overseas. The agency often uses computer flaws to break into targeted machines, but it also has a mandate to warn companies about particularly dangerous or widespread flaws so that they can be fixed.

Rob Joyce, White House cybersecurity coordinator, said, “NSA did not know about the flaw, has not exploited it and certainly the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability.”

The veracity of this statement is largely dependent on the credibility attributed to the person making it. While it is conceivable the NSA did not know about the flaw (leading to it being unable to exploit it), it’s laughable to assert the NSA wouldn’t “put a major company in a position of risk” by withholding details on an exploit. We only have the entire history of the NSA’s use of exploits/vulnerabilities and its hesitant compliance with the Vulnerability Equities Process to serve as a counterargument.

The NSA has left major companies in vulnerable positions, often for years — something exposed in the very recent past when an employee/contractor left the NSA in a vulnerable position by leaving TAO tools out in the open. The Shadow Brokers have been flogging NSA exploits for months and recent worldwide malware/ransomware attacks are tied to exploits the agency never informed major players like Microsoft about until the code was already out in the open.

These recently-discovered exploits may be the ones that got away — ones the NSA never uncovered and never used. But this statement portrays the NSA as an honest broker, which it isn’t. If the NSA had access to these exploits, it most certainly would have used them before informing affected companies. That’s just how this works. As long as exploits are returning intel otherwise inaccessible, the NSA will use the exploits for as long as possible before disclosing this info to US companies. The agency has historically shown little concern about collateral damage and I don’t believe putting someone new in charge of the VEP is going to make that much of a difference in the future.

Filed Under: , , , , , ,
Companies: intel

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NSA Denies Prior Knowledge Of Meltdown, Spectre Exploits; Claims It Would 'Never' Harm Companies By Withholding Vulns”

Subscribe: RSS Leave a comment
67 Comments
Ninja (profile) says:

Fox denies knowledge of huge hole in the fence. Claims it would never harm chickens.

I think a fellow reader summarized it quite well:

He who permits himself to tell a lie once, finds it much easier to do it a second and third time, till at length it becomes habitual; he tells lies without attending to it, and truth without the world’s believing him. This falsehood of the tongue leads to that of the heart, and in time depraves all its good dispositions. – Thomas Jefferson

Source comment

Anonymous Coward says:

A scorpion and a frog meet on the bank of a stream and the
scorpion asks the frog to carry him across on its back. The
frog asks, “How do I know you won’t sting me?” The scorpion
says, “Because if I do, I will die too.”

The frog is satisfied, and they set out, but in midstream,
the scorpion stings the frog. The frog feels the onset of
paralysis and starts to sink, knowing they both will drown,
but has just enough time to gasp “Why?”

Replies the scorpion: “It’s my nature…”

Uriel-238 (profile) says:

Re: "It's my nature..."

A wave of outrage in the frog communities over Scorpion-Rivergate turns into a frog cultural movement towards authoritarianism and nationalism. Scorpions in frog nations are rounded up into concentration camps and put to work. Soon all arachnids are classified as scorpions de facto and interned.

Frog Supreme Directorship (FSD) publishes a list of under-frogs, persons within frog society or interact with frogs who are either too meek or too dangerous to be tolerated. A bounty is offered to identify underfrogs so they can be be captured and interned. Non-amphians are quickly classified as underfrogs causing a refugee crisis of tens of thousands on the shores of Morocco.

Soon disabled frogs, frogs with deviant predilections, purple frogs, countercultural frogs, communist frogs, snake sympathizers and state dissenters are counted as underfrogs and rounded up. Supreme Frog announces a New World Order in which Frog Society will prevail and rule over all species for a thousand years.

Soon, the fifty Frogmacht armor divisions mobilize on the first day of the Great Eastward Frog Offensive to secure Europe and Asia.

Meanwhile The Secret Frog Administration (SFA) contends with the rising overpopulation of its workcamps and ghettos. Under the new budget, the Frog state can no longer afford to feed and maintain the camps, and a more permanent solution to underfrog redundancy must be found.

…or maybe I’m reading too much into the parable.

Anonymous Coward says:

can't we all just - just get along

If Intel and AMD (and thus ATI) can work together on a processor, why can’t Microsoft and Sony work together on a console. Imagine 1 console codeveloped by these 2 companies released every 6 years–with a mid cycle console (think XBOX 1 X and PS4 Pro -or- the “thin” versions) separately, sold at a lower price,at the mid point between each 6 year upgrade. Like this: in 2020 the SonyMicrosoft Box is released, in 2023 the XBOX.5 and PSX Pro are each released on the same day for half the cost of the SonyMicrosoft box, in 2026 the SonyMicrosoft Box 2 is released. Problem solved: no more exclusive titles & no more console wars. (Toyota and Subaru did something like this with the Toyota 86 and Subaru BRZ).

Also: high frame rates and high graphic fidelity are not necessarily mutually exclusive. Just give gamers the option to choose between the two with a check box or slider or something:
-click this box for 60 fps gameplay with medium graphics
-click this box for high graphics with slower than 60 fps
Some might ask “why can’t there be a 3rd box -click this box for 60 fps with high graphics”? Well, that 3rd box could exist, but the price of the console would then be prohibitive.
Just thinking out loud…

Anonymous Coward says:

Re: Re: can't we all just - just get along

As a REAL gamer, no, this person is not a gamer. Please do not confuse the two of us.

Real gamers understand that what this person says is the dumbest thing ever. While multiple console exclusives can be annoying, it is great for competition and forces Microsoft and Sony to constantly compete and try to outdo each other. It’s one of the things that has led to the booming and vibrant game market today. A collaboration would be horrifying.

Also, @OP, that third box you want? It’s called a PC and it’s not cost prohibitive.

Anonymous Coward says:

Re: Re: Re: can't we all just - just get along

That wasn’t my point. (Although you’re correct.) My point is that this utterly worthless moron dropped a comment into a serious thread about a major security problem (and the NSA’s possible knowledge of it) that had absolutely nothing to do with the topic at hand, only with his pathetic obsession with games. This is a painful level of stupid, particularly when I have to face it too early in the day to resort to booze.

Anonymous Coward says:

Re: Re: Re: can't we all just - just get along

Not everyone can afford both systems at the same time though, and the video card alone, on a gaming PC, can be way more expensive than a console (cough Nvidia TITAN). If only there were some type of emulation mode on each console (like Win XP mode on Win 7) that would let you play Crackdown on PS4…

Anonymous Coward says:

Re: Re: Re:2 can't we all just - just get along

you don’t have to buy a fucking $600 gaming card. PC is just cheaper over the long haul no matter how you slice the pie!

They last longer and are upgrade-able. Consoles die a lot and youare beholden to a MFG for your shit. Take nintendo and all the people that lost games becuase they were bound to their consoles or when a MFG wipes your game saves out when fixing your shit.

Console buyers deserve the miseries they get!

Anonymous Coward says:

Re: Re: Re:3 can't we all just - just get along

It’s just performance vs. convenience. PC’s are far more capable of higher frame rates and graphics than consoles, but there’s something to be said for the ease of use(and now portability thanks to the Switch) of consoles.

When I grow up, I’m gonna make a high end PC, capable of whateverK HDR gameplay at over 60fps, that also has a dock for it’s included portable (4K HDR >60fps) gameplay device. A PC/Switch combo.

Anonymous Coward says:

Re: Re: Re:5 can't we all just - just get along

Right now I would not bet on streaming being a good solution. It will add latency to your gaming. Every MS you add to your reaction time just means you get fragged more often.

I play on a 65 inch Samsung QLED that has about 21ms of delay. My human reaction time is around 100~200 ms, but add that to the delay from my TV and I am instantly 10~21% slower just because my TV has 21ms worth of input lag, it really adds up.

I have had situations where I had an older TV that I played on and my friends would mow me down constantly. With my new lower Lag TV I actually am able to win slightly more than 1/2 the time. The difference is noticeable.

Anonymous Coward says:

Re: Re: Re:2 can't we all just - just get along

If gaming is truly your passion and you absolutely have to have all exclusives for every console (been there, done that, got the t-shirt) then I’m certain you can find a way to make enough money to buy each and every console. I managed to do it before I had a regular job by saving birthday and Christmas money and doing odd-jobs for people in the neighborhood.

As for the cost of a graphics card for a gaming PC, you don’t need anywhere near an Nvidia TITAN to game on high settings. The TITAN is overkill for 99% of all games. If you watch sales and prices you can EASILY pick up a pre-made gaming desktop or laptop for sub-$1000. No it won’t be a screaming machine but it will play all games at better than medium graphics without dipping below 60 fps.

If you, for some reason, just can’t find a decently priced pre-built system to your liking, you can always buy the components yourself and build a custom rig.

WinXP mode on 7 was and is a joke. That was a piece of junk that barely worked. There is FAR better emulation software out there.

Anonymous Coward says:

Re: Re: Re:3 can't we all just - just get along

ahh… the “no true Scotsmen” argument? really?

I make more than enough money to easily afford every console made. I do have an Nvidia 1080 water cooled and could afford either of the Titan cards too, but its a waste of money to go that high, hell the 1080 is a waste of money but bragging rights I guess.

Gaming is a passion so much that I have been learning Unity 3d to see if I can make my own game as an indie and make a living there. But I will never buy another console because I hate the monopolies.

Anonymous Coward says:

Re: Re: Re:4 can't we all just - just get along

ahh… the "no true Scotsmen" argument? really?

No, sorry if I was unclear. It doesn’t have anything to do whether he is a true gamer or not. All I meant was that if it was truly that important to him to have every console exclusive, then he should have no trouble finding ways to earn/save enough money to buy them.

JoeCool (profile) says:

Re: can't we all just - just get along

Intel and AMD don’t work together on anything. At best, they each license designs for the other to use (AMD – the basic x86 patents, and misc other things like SSEx, Intel – the AMD64 extension, mainly). You really don’t WANT the two major players in an industry working together – that’s called collusion and leads to Bad Things. Sony and MS working together would not result in the best of both worlds; history shows it would result in the WORST of both worlds… for the consumer. Things get better when the major players compete.

Anonymous Coward says:

Re: can't we all just - just get along

gaming consoles are stupid and monopolistic. I stopped buying them. I got tired of not being able to play with my friends because they had the wrong platform.

consoles need to die, everyone needs to just join the PC master race and not because I am a fan boi. But because we need to stop letting these fucking gaming companies develop monopolies. If I could play games with PC/XBOX/PS/Nin players then I would not give a fuck, but I am sick of the monopolies.

If you bought a gaming console then you are directly funding the problem.

Anonymous Coward says:

Re: Re: can't we all just - just get along

Not sure what you mean by monopolies. There are a minimum of 3 major gaming console makers. In addition you have the mobile and PC platforms.

The fact that they don’t have cross-platform multiplayer doesn’t make them monopolies. And if you want to really complain about that, blame Sony. Microsoft is really opening up to cross-platform and so is Nintendo (not their first party games but many third party ones).

If you’re upset because you have a different platform than your friends, then that’s not really the console makers’ fault. Go get a different console or become a PC gamer if all your friends game on PC.

Do changes need to be made in the console world? Yes, but they themselves aren’t inherently a problem or bad. I’ve owned most major consoles up to the Xbox 360 and been perfectly happy.to play.

The Wanderer (profile) says:

Re: Re: Re: can't we all just - just get along

I think that’s based on the idea that “the makers of the console pay, or otherwise induce, the makers of a particular game to release it as an exclusive for a single console” is monopolistic behavior, in that it’s an artificial limitation on the breadth of the market availability of the game.

I don’t know how common that type of exclusivity is nowadays, but at one point in my awareness of the gaming industry, the impression was that it was nearly standard.

Anonymous Coward says:

Re: Re: Re:2 can't we all just - just get along

It did used to be pretty standard but now it’s actually pretty rare aside from first party titles (e.g. games made by console makers or studios they own, like Nintendo Mario, Sony Ratchet and Clank, etc…).

Independent big name games like CoD and Battlefront are multi-platform because they get better sales the more platforms they are on. Whereas first party titles made by the console maker give people a reason to buy their specific console.

The Wanderer (profile) says:

Re: Re: Re:3 can't we all just - just get along

I would consider that to be a different type of exclusivity, and not include it under the same heading for determining – er – common-ness.

There’s a considerable difference between “We’re going to release this for our own platform and nothing else, because we want to” and either / both of “If you release this for any platforms other than ours, we’ll penalize you” or “If you release this for only our platform, we’ll reward you”.

Anonymous Coward says:

The flaw in the tlb

was disclosed within the *nix community 11 years ago. The NSA knew it and did Apple, Microsoft, Intel, ARM, AMD, IBM, etc.

IBM researched it and that is why OS/390 running on X86 doesn’t suffer from the flaw.

This isn’t an NSA problem, this is a problem with the tech companies who buried the heads in the sand.

pegr (profile) says:

Old news?

Familiar with OpenBSD? Theo de Raadt is the Linus Torvalds of OpenBSD. He’s cantankerous, sometimes rude, very passionate, very intelligent…

And he called this whole mess 11 years ago!

https://marc.info/?l=openbsd-misc&m=118296441702631&w=2

As a result, OpenBSD required NO patches for this issue. The workarounds have been in the code since this issue was spotted by Theo. 11 years ago. The information was there. But no one listened.

Anonymous Coward says:

Re: Old news?

Theo is sarcastic, condescending, and absolutely perfect for the role of managing OpenBSD. He punishes stupidity ruthlessly — as it should be punished. So it’s not a surprise at all: he’s called out other vulnerabilities years in advance of general public awareness of them.

OpenBSD isn’t perfect, of course. Nothing is. But it’s so far ahead of everything else that there’s really no debate to be had. And the biggest reason why it’s so is that Theo wants it that way. Kudos to him.

Anonymous Coward says:

*Why* didn't they know?

Cache attacks, and side channels in general, have been all the rage over the past year or two. And particularly after Rowhammer, researchers made good progress in reverse-engineering CPU cache behavior in detail. E.g., "On 27 March 2017 researchers at Austria’s Graz University of Technology developed a proof-of-concept that can grab RSA keys from SGX enclaves running on the same system within five minutes by using certain CPU instructions in lieu of a fine-grained timer to exploit cache DRAM side-channels." Or see how a researcher got really close to finding it last August; or how quickly people started looking in the right areas once they got suspicous of those Linux patches, and figured it out from AMD’s statement.

If the NSA didn’t know, it reflects poorly on their capabilities. It was obvious to everyone that this was a fruitful research area, and most researchers are using imprecise and slow black-box reverse-engineering methods. With the NSA’s resources, they should already have figured out in detail how the CPU’s caches and speculative executors work—the government computers they’re supposed to defend (and attack) are depending on it after all. Based on research trends they should’ve had a team looking for stuff like this by 2016 at the latest; and it shouldn’t have taken them more than a few months to find these exact bugs.

Crypto researchers used to say the NSA was a decade ahead of the public. Whether they knew of Meltdown or not, they certainly don’t seem that far ahead anymore.

Anonymous Coward says:

how about

also introducing vulns?

https://www.reuters.com/article/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331

https://www.theverge.com/2013/12/20/5231006/nsa-paid-10-million-for-a-back-door-into-rsa-encryption-according-to

Not only would the NSA absolutely and GLEEFULLY abuse vulnerability they will PAY companies to put them into their products intentionally!

Anonymous Coward says:

The NSA has an interesting relationship with "knowing"

“NSA did not *know* about the flaw, has not exploited it and certainly the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability.”

Clapper: “Not knowingly.”

Translation: NSA doesn’t need meltdown/spectre, because it already owns the Intel Management Engine and “Trusted” Execution Engine.

Jose Conseco's finger says:

not smart enough for the lying game

Given the NSA’s inability to do things like unlocking an iphone a while back, i can believe that they wouldn’t know about this exploit…or about any exploit in general. Even if they were told about it, they’d either A) deny it, or B) ignore it until something bad happened, and then take measures to ensure somebody that isn’t them was to blame.

Anonymous Coward says:

Re: Re: In Other News ...

Keeping an eye on RISC-V.

That does look the most promising. There are a few others:

I’ll be interested in playing with these open CPU projects once the general FPGA-development clusterfuck (i.e. the requirement for proprietary tooling) is resolved. There’s Project IceStorm but it supports fairly weak FPGAs only.

Anonymous Coward says:

Re: In Other News ...

Bruce Schneier is predicting that, now that security researchers are taking an interest in microprocessors, more such unpleasant discoveries are likely to come.

Not much of a prediction, really: "Though Intel was indeed working on a fix, the Graz team wasn’t the first to tell the chip giant about the [Meltdown] vulnerability. In fact, two other research teams had beaten them to it. Counting another, related technique that would come to be known as Spectre, Intel told the researchers they were actually the fourth to report the new class of attack, all within a period of just months." (from Wired)

Look at the crazy history of multiple discovery too. It’s (one reason) why patents are unfair, and delayed bug disclosure is dangerous.

Someone posted a link to a decades-old CPU design book saying that obviously speculative fetching must be prevented from crossing privilege levels; and lots of links to old messages where people almost figured out the bug. Researchers have been pushing hard at these parts of the CPU for the last couple of years in particular. Hell, I don’t know much about it, and when I saw that AMD message I looked at Intel’s optimization guide and thought the BTB stood out (involved in prediction, has a fair bit of state, and severely underdocumented).

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...