NSA Denies Prior Knowledge Of Meltdown, Spectre Exploits; Claims It Would 'Never' Harm Companies By Withholding Vulns
from the lol-ok-then dept
News surfaced late last week indicating everything about computing is fucked. Two critical flaws with zero perfect fixes — affecting millions of processors — were exposed by security researchers. Patches have been deployed and more are on their way, but even the best fixes seem to guarantee a noticeable slowdown in processing speed.
The government has stepped up to say that, for once, it’s not involved in making computing less safe.
Current and former U.S. officials… said the NSA did not know about or use Meltdown or Spectre to enable electronic surveillance on targets overseas. The agency often uses computer flaws to break into targeted machines, but it also has a mandate to warn companies about particularly dangerous or widespread flaws so that they can be fixed.
Rob Joyce, White House cybersecurity coordinator, said, “NSA did not know about the flaw, has not exploited it and certainly the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability.”
The veracity of this statement is largely dependent on the credibility attributed to the person making it. While it is conceivable the NSA did not know about the flaw (leading to it being unable to exploit it), it’s laughable to assert the NSA wouldn’t “put a major company in a position of risk” by withholding details on an exploit. We only have the entire history of the NSA’s use of exploits/vulnerabilities and its hesitant compliance with the Vulnerability Equities Process to serve as a counterargument.
The NSA has left major companies in vulnerable positions, often for years — something exposed in the very recent past when an employee/contractor left the NSA in a vulnerable position by leaving TAO tools out in the open. The Shadow Brokers have been flogging NSA exploits for months and recent worldwide malware/ransomware attacks are tied to exploits the agency never informed major players like Microsoft about until the code was already out in the open.
These recently-discovered exploits may be the ones that got away — ones the NSA never uncovered and never used. But this statement portrays the NSA as an honest broker, which it isn’t. If the NSA had access to these exploits, it most certainly would have used them before informing affected companies. That’s just how this works. As long as exploits are returning intel otherwise inaccessible, the NSA will use the exploits for as long as possible before disclosing this info to US companies. The agency has historically shown little concern about collateral damage and I don’t believe putting someone new in charge of the VEP is going to make that much of a difference in the future.
Filed Under: meltdown, nsa, rob joyce, spectre, vep, vulnerabilities, vulnerabilities equities process
Companies: intel
Comments on “NSA Denies Prior Knowledge Of Meltdown, Spectre Exploits; Claims It Would 'Never' Harm Companies By Withholding Vulns”
Fox denies knowledge of huge hole in the fence. Claims it would never harm chickens.
I think a fellow reader summarized it quite well:
He who permits himself to tell a lie once, finds it much easier to do it a second and third time, till at length it becomes habitual; he tells lies without attending to it, and truth without the world’s believing him. This falsehood of the tongue leads to that of the heart, and in time depraves all its good dispositions. – Thomas Jefferson
Source comment
Re: Re:
A founding father quote? Nice!
A scorpion and a frog meet on the bank of a stream and the
scorpion asks the frog to carry him across on its back. The
frog asks, “How do I know you won’t sting me?” The scorpion
says, “Because if I do, I will die too.”
The frog is satisfied, and they set out, but in midstream,
the scorpion stings the frog. The frog feels the onset of
paralysis and starts to sink, knowing they both will drown,
but has just enough time to gasp “Why?”
Replies the scorpion: “It’s my nature…”
Re: "It's my nature..."
A wave of outrage in the frog communities over Scorpion-Rivergate turns into a frog cultural movement towards authoritarianism and nationalism. Scorpions in frog nations are rounded up into concentration camps and put to work. Soon all arachnids are classified as scorpions de facto and interned.
Frog Supreme Directorship (FSD) publishes a list of under-frogs, persons within frog society or interact with frogs who are either too meek or too dangerous to be tolerated. A bounty is offered to identify underfrogs so they can be be captured and interned. Non-amphians are quickly classified as underfrogs causing a refugee crisis of tens of thousands on the shores of Morocco.
Soon disabled frogs, frogs with deviant predilections, purple frogs, countercultural frogs, communist frogs, snake sympathizers and state dissenters are counted as underfrogs and rounded up. Supreme Frog announces a New World Order in which Frog Society will prevail and rule over all species for a thousand years.
Soon, the fifty Frogmacht armor divisions mobilize on the first day of the Great Eastward Frog Offensive to secure Europe and Asia.
Meanwhile The Secret Frog Administration (SFA) contends with the rising overpopulation of its workcamps and ghettos. Under the new budget, the Frog state can no longer afford to feed and maintain the camps, and a more permanent solution to underfrog redundancy must be found.
…or maybe I’m reading too much into the parable.
Re: Re: "It's my nature..."
Sounds about right.
This is why the government and the NSA hate whistleblowers like Snowden. It gives everyone a reason to distrust them, even when they might be telling the truth.
Re: Re:
It’s the NSA themselves giving us the reasons to distrust them.
The whistleblowers are just bringing those reasons to light.
Re: Re:
Yes. It’s Snowden’s fault the NSA is untrustworthy.
“NSA did not know about or use Meltdown or Spectre to enable electronic surveillance on targets overseas.”
However domestically, no comment.
Re: Re:
Also no comment on untargeted dragnet surveillance.
From the post:
It also depends on how much they know. The oversight bodies were surprised by some of the stuff NSA were doing, so why not this guy?
Well, given how the NSA mangles language...
It could be a perfectly true statement.
Except for the parts where every word in their statement means something completely different from what the rest of the world thinks it does.
but...
did not != will not
can't we all just - just get along
If Intel and AMD (and thus ATI) can work together on a processor, why can’t Microsoft and Sony work together on a console. Imagine 1 console codeveloped by these 2 companies released every 6 years–with a mid cycle console (think XBOX 1 X and PS4 Pro -or- the “thin” versions) separately, sold at a lower price,at the mid point between each 6 year upgrade. Like this: in 2020 the SonyMicrosoft Box is released, in 2023 the XBOX.5 and PSX Pro are each released on the same day for half the cost of the SonyMicrosoft box, in 2026 the SonyMicrosoft Box 2 is released. Problem solved: no more exclusive titles & no more console wars. (Toyota and Subaru did something like this with the Toyota 86 and Subaru BRZ).
Also: high frame rates and high graphic fidelity are not necessarily mutually exclusive. Just give gamers the option to choose between the two with a check box or slider or something:
-click this box for 60 fps gameplay with medium graphics
-click this box for high graphics with slower than 60 fps
Some might ask “why can’t there be a 3rd box -click this box for 60 fps with high graphics”? Well, that 3rd box could exist, but the price of the console would then be prohibitive.
Just thinking out loud…
Re: can't we all just - just get along
My god, you gamers are stupid.
Re: Re: can't we all just - just get along
As a REAL gamer, no, this person is not a gamer. Please do not confuse the two of us.
Real gamers understand that what this person says is the dumbest thing ever. While multiple console exclusives can be annoying, it is great for competition and forces Microsoft and Sony to constantly compete and try to outdo each other. It’s one of the things that has led to the booming and vibrant game market today. A collaboration would be horrifying.
Also, @OP, that third box you want? It’s called a PC and it’s not cost prohibitive.
Re: Re: Re: can't we all just - just get along
That wasn’t my point. (Although you’re correct.) My point is that this utterly worthless moron dropped a comment into a serious thread about a major security problem (and the NSA’s possible knowledge of it) that had absolutely nothing to do with the topic at hand, only with his pathetic obsession with games. This is a painful level of stupid, particularly when I have to face it too early in the day to resort to booze.
Re: Re: Re:2 can't we all just - just get along
My apologies.
I agree, the OP was very off-topic. The way you worded your response, “you gamers”, led me to believe you were referring to all gamers, not just this one particular poster. Sorry for the misunderstanding.
Re: Re: Re:2 can't we all just - just get along
We already know the NSA, Spectre, and Meltdown exist. A new superconsole though? That would be news.
Re: Re: Re: can't we all just - just get along
Not everyone can afford both systems at the same time though, and the video card alone, on a gaming PC, can be way more expensive than a console (cough Nvidia TITAN). If only there were some type of emulation mode on each console (like Win XP mode on Win 7) that would let you play Crackdown on PS4…
Re: Re: Re:2 can't we all just - just get along
you don’t have to buy a fucking $600 gaming card. PC is just cheaper over the long haul no matter how you slice the pie!
They last longer and are upgrade-able. Consoles die a lot and youare beholden to a MFG for your shit. Take nintendo and all the people that lost games becuase they were bound to their consoles or when a MFG wipes your game saves out when fixing your shit.
Console buyers deserve the miseries they get!
Re: Re: Re:3 can't we all just - just get along
It’s just performance vs. convenience. PC’s are far more capable of higher frame rates and graphics than consoles, but there’s something to be said for the ease of use(and now portability thanks to the Switch) of consoles.
When I grow up, I’m gonna make a high end PC, capable of whateverK HDR gameplay at over 60fps, that also has a dock for it’s included portable (4K HDR >60fps) gameplay device. A PC/Switch combo.
Re: Re: Re:4 can't we all just - just get along
Try a gaming laptop. Easy to use and very portable with desktop level graphics capability.
Re: Re: Re:4 can't we all just - just get along
Don’t worry. The next Switch will be PC compatible (dockable), and will stream all games to your TV, and will play at higher framerates/graphics when PC docked.
#calledit
Re: Re: Re:5 can't we all just - just get along
Right now I would not bet on streaming being a good solution. It will add latency to your gaming. Every MS you add to your reaction time just means you get fragged more often.
I play on a 65 inch Samsung QLED that has about 21ms of delay. My human reaction time is around 100~200 ms, but add that to the delay from my TV and I am instantly 10~21% slower just because my TV has 21ms worth of input lag, it really adds up.
I have had situations where I had an older TV that I played on and my friends would mow me down constantly. With my new lower Lag TV I actually am able to win slightly more than 1/2 the time. The difference is noticeable.
Re: Re: Re:5 can't we all just - just get along
There are already products on the market that do this.
Re: Re: Re:2 can't we all just - just get along
If gaming is truly your passion and you absolutely have to have all exclusives for every console (been there, done that, got the t-shirt) then I’m certain you can find a way to make enough money to buy each and every console. I managed to do it before I had a regular job by saving birthday and Christmas money and doing odd-jobs for people in the neighborhood.
As for the cost of a graphics card for a gaming PC, you don’t need anywhere near an Nvidia TITAN to game on high settings. The TITAN is overkill for 99% of all games. If you watch sales and prices you can EASILY pick up a pre-made gaming desktop or laptop for sub-$1000. No it won’t be a screaming machine but it will play all games at better than medium graphics without dipping below 60 fps.
If you, for some reason, just can’t find a decently priced pre-built system to your liking, you can always buy the components yourself and build a custom rig.
WinXP mode on 7 was and is a joke. That was a piece of junk that barely worked. There is FAR better emulation software out there.
Re: Re: Re:3 can't we all just - just get along
ahh… the “no true Scotsmen” argument? really?
I make more than enough money to easily afford every console made. I do have an Nvidia 1080 water cooled and could afford either of the Titan cards too, but its a waste of money to go that high, hell the 1080 is a waste of money but bragging rights I guess.
Gaming is a passion so much that I have been learning Unity 3d to see if I can make my own game as an indie and make a living there. But I will never buy another console because I hate the monopolies.
Re: Re: Re:4 can't we all just - just get along
No, sorry if I was unclear. It doesn’t have anything to do whether he is a true gamer or not. All I meant was that if it was truly that important to him to have every console exclusive, then he should have no trouble finding ways to earn/save enough money to buy them.
Re: Re: can't we all just - just get along
don’t taze me bro!
Re: can't we all just - just get along
Intel and AMD don’t work together on anything. At best, they each license designs for the other to use (AMD – the basic x86 patents, and misc other things like SSEx, Intel – the AMD64 extension, mainly). You really don’t WANT the two major players in an industry working together – that’s called collusion and leads to Bad Things. Sony and MS working together would not result in the best of both worlds; history shows it would result in the WORST of both worlds… for the consumer. Things get better when the major players compete.
Re: Re: can't we all just - just get along
you’re right; competition does lower prices
Re: Re: can't we all just - just get along
have you heard of EMIB?
Re: Re: Re: can't we all just - just get along
Yes, Intel and AMD have announced they’ll work on a combined Intel CPU/AMD GPU for mobile. It remains to be seen if they can actually collaborate long enough to get something out, at which point you CAN state that Intel and AMD have worked together on something. 😀
Re: Re: Re:2 can't we all just - just get along
Joe, you’re so romantic…I mean pedantic. Ooooh burn!
Re: Re: Re:2 can't we all just - just get along
https://arstechnica.com/gadgets/2018/01/hps-new-15-inch-spectre-x360-uses-the-hybrid-intelamd-processor/
https://arstechnica.com/gadgets/2018/01/dells-xps-15-gets-the-2-in-1-treatment-plus-radeon-rx-vega-graphics/
Re: can't we all just - just get along
Exclusive titles are not a problem for Sony and MS. They pay developers to make stuff exclusive to their platforms.
Re: can't we all just - just get along
I have the name for this console. The S&M Console
(Do I really need to explain that?)
Re: Re: can't we all just - just get along
whaaa?
Re: Re: Re: can't we all just - just get along
I guess it does need explaining. 😀 He’s alluding to the fact that Sony and MS working jointly on a console would bring forth the WORST of both, making the result sadistic for any masochistic customers of said console.
Re: can't we all just - just get along
gaming consoles are stupid and monopolistic. I stopped buying them. I got tired of not being able to play with my friends because they had the wrong platform.
consoles need to die, everyone needs to just join the PC master race and not because I am a fan boi. But because we need to stop letting these fucking gaming companies develop monopolies. If I could play games with PC/XBOX/PS/Nin players then I would not give a fuck, but I am sick of the monopolies.
If you bought a gaming console then you are directly funding the problem.
Re: Re: can't we all just - just get along
Not sure what you mean by monopolies. There are a minimum of 3 major gaming console makers. In addition you have the mobile and PC platforms.
The fact that they don’t have cross-platform multiplayer doesn’t make them monopolies. And if you want to really complain about that, blame Sony. Microsoft is really opening up to cross-platform and so is Nintendo (not their first party games but many third party ones).
If you’re upset because you have a different platform than your friends, then that’s not really the console makers’ fault. Go get a different console or become a PC gamer if all your friends game on PC.
Do changes need to be made in the console world? Yes, but they themselves aren’t inherently a problem or bad. I’ve owned most major consoles up to the Xbox 360 and been perfectly happy.to play.
Re: Re: can't we all just - just get along
How TF are they “monopolistic?” WTF are you talking about?
Re: Re: Re: can't we all just - just get along
I think that’s based on the idea that “the makers of the console pay, or otherwise induce, the makers of a particular game to release it as an exclusive for a single console” is monopolistic behavior, in that it’s an artificial limitation on the breadth of the market availability of the game.
I don’t know how common that type of exclusivity is nowadays, but at one point in my awareness of the gaming industry, the impression was that it was nearly standard.
Re: Re: Re:2 can't we all just - just get along
It did used to be pretty standard but now it’s actually pretty rare aside from first party titles (e.g. games made by console makers or studios they own, like Nintendo Mario, Sony Ratchet and Clank, etc…).
Independent big name games like CoD and Battlefront are multi-platform because they get better sales the more platforms they are on. Whereas first party titles made by the console maker give people a reason to buy their specific console.
Re: Re: Re:3 can't we all just - just get along
I would consider that to be a different type of exclusivity, and not include it under the same heading for determining – er – common-ness.
There’s a considerable difference between “We’re going to release this for our own platform and nothing else, because we want to” and either / both of “If you release this for any platforms other than ours, we’ll penalize you” or “If you release this for only our platform, we’ll reward you”.
The flaw in the tlb
was disclosed within the *nix community 11 years ago. The NSA knew it and did Apple, Microsoft, Intel, ARM, AMD, IBM, etc.
IBM researched it and that is why OS/390 running on X86 doesn’t suffer from the flaw.
This isn’t an NSA problem, this is a problem with the tech companies who buried the heads in the sand.
Re: The flaw in the tlb
Can you give a good source on that? Just for those of us only partly or not in the know.
Re: Re: The flaw in the tlb
Nevermind, good link in the next comment…
Old news?
Familiar with OpenBSD? Theo de Raadt is the Linus Torvalds of OpenBSD. He’s cantankerous, sometimes rude, very passionate, very intelligent…
And he called this whole mess 11 years ago!
https://marc.info/?l=openbsd-misc&m=118296441702631&w=2
As a result, OpenBSD required NO patches for this issue. The workarounds have been in the code since this issue was spotted by Theo. 11 years ago. The information was there. But no one listened.
Re: Old news?
Theo is sarcastic, condescending, and absolutely perfect for the role of managing OpenBSD. He punishes stupidity ruthlessly — as it should be punished. So it’s not a surprise at all: he’s called out other vulnerabilities years in advance of general public awareness of them.
OpenBSD isn’t perfect, of course. Nothing is. But it’s so far ahead of everything else that there’s really no debate to be had. And the biggest reason why it’s so is that Theo wants it that way. Kudos to him.
*Why* didn't they know?
Cache attacks, and side channels in general, have been all the rage over the past year or two. And particularly after Rowhammer, researchers made good progress in reverse-engineering CPU cache behavior in detail. E.g., "On 27 March 2017 researchers at Austria’s Graz University of Technology developed a proof-of-concept that can grab RSA keys from SGX enclaves running on the same system within five minutes by using certain CPU instructions in lieu of a fine-grained timer to exploit cache DRAM side-channels." Or see how a researcher got really close to finding it last August; or how quickly people started looking in the right areas once they got suspicous of those Linux patches, and figured it out from AMD’s statement.
If the NSA didn’t know, it reflects poorly on their capabilities. It was obvious to everyone that this was a fruitful research area, and most researchers are using imprecise and slow black-box reverse-engineering methods. With the NSA’s resources, they should already have figured out in detail how the CPU’s caches and speculative executors work—the government computers they’re supposed to defend (and attack) are depending on it after all. Based on research trends they should’ve had a team looking for stuff like this by 2016 at the latest; and it shouldn’t have taken them more than a few months to find these exact bugs.
Crypto researchers used to say the NSA was a decade ahead of the public. Whether they knew of Meltdown or not, they certainly don’t seem that far ahead anymore.
Re: *Why* didn't they know?
they had access they are just lying like with all of their statements…
Disinformation works best
what about MINIX
is the MINIX OS vulnerability in the Intel processors addressed in Meltdown or Spectre?
First Apple is throttling crap, now this Intel mess. Next they’re gonna be telling us that Santa Clause isn’t real.
If it’s man built, it’s not perfect, because man is not perfect.
Re: what about MINIX
No. That is a completely separate issue.
As is the licensing of Minix.
Re: Re: what about MINIX
Not entirely separate: MINIX is likely affected by this problem too. (Apparently the CPU’s built-in copy of MINIX runs on a tiny 486-class CPU which isn’t vulnerable. But MINIX running as the main OS would be.)
would never put a major company like Intel in a position of risk
Wannacry?
In other words: Already did. ALL major companies and everyone else IN THE WHOLE WORLD. For three years.
how about
also introducing vulns?
https://www.reuters.com/article/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331
https://www.theverge.com/2013/12/20/5231006/nsa-paid-10-million-for-a-back-door-into-rsa-encryption-according-to
Not only would the NSA absolutely and GLEEFULLY abuse vulnerability they will PAY companies to put them into their products intentionally!
The NSA has an interesting relationship with "knowing"
“NSA did not *know* about the flaw, has not exploited it and certainly the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability.”
Clapper: “Not knowingly.”
Translation: NSA doesn’t need meltdown/spectre, because it already owns the Intel Management Engine and “Trusted” Execution Engine.
I fixed it for you
> “affecting millions of processors”
Should be:
> affecting billions of processors
Cue the Dr Evil impressions now.
Heinlein On Lying
…once a man gets a reputation as a liar, he might as well be struck dumb, for people do not listen to the wind.
If They Didn’t Know ...
… then they are a bunch of useless incompetents. Because the unclassified research community is now doing a better job of uncovering such vulnerabilities than they are.
The NSA might as well be shut down.
not smart enough for the lying game
Given the NSA’s inability to do things like unlocking an iphone a while back, i can believe that they wouldn’t know about this exploit…or about any exploit in general. Even if they were told about it, they’d either A) deny it, or B) ignore it until something bad happened, and then take measures to ensure somebody that isn’t them was to blame.
Even IF they didn’t know about (HA!!!), they sure as heck are using it now.
In Other News ...
… Bruce Schneier is predicting that, now that security researchers are taking an interest in microprocessors, more such unpleasant discoveries are likely to come.
Re: In Other News ...
I’m hoping this leads to greater interest in open hardware. Obviously just because something is auditable doesn’t mean it won’t have vulnerabilities, or that they won’t go unnoticed for years (see OpenSSL), but it still beats proprietary black boxes.
Keeping an eye on RISC-V.
Re: Re: In Other News ...
That does look the most promising. There are a few others:
I’ll be interested in playing with these open CPU projects once the general FPGA-development clusterfuck (i.e. the requirement for proprietary tooling) is resolved. There’s Project IceStorm but it supports fairly weak FPGAs only.
Re: In Other News ...
Not much of a prediction, really: "Though Intel was indeed working on a fix, the Graz team wasn’t the first to tell the chip giant about the [Meltdown] vulnerability. In fact, two other research teams had beaten them to it. Counting another, related technique that would come to be known as Spectre, Intel told the researchers they were actually the fourth to report the new class of attack, all within a period of just months." (from Wired)
Look at the crazy history of multiple discovery too. It’s (one reason) why patents are unfair, and delayed bug disclosure is dangerous.
Someone posted a link to a decades-old CPU design book saying that obviously speculative fetching must be prevented from crossing privilege levels; and lots of links to old messages where people almost figured out the bug. Researchers have been pushing hard at these parts of the CPU for the last couple of years in particular. Hell, I don’t know much about it, and when I saw that AMD message I looked at Intel’s optimization guide and thought the BTB stood out (involved in prediction, has a fair bit of state, and severely underdocumented).