NSA Denies Prior Knowledge Of Meltdown, Spectre Exploits; Claims It Would 'Never' Harm Companies By Withholding Vulns

from the lol-ok-then dept

News surfaced late last week indicating everything about computing is fucked. Two critical flaws with zero perfect fixes -- affecting millions of processors -- were exposed by security researchers. Patches have been deployed and more are on their way, but even the best fixes seem to guarantee a noticeable slowdown in processing speed.

The government has stepped up to say that, for once, it's not involved in making computing less safe.

Current and former U.S. officials... said the NSA did not know about or use Meltdown or Spectre to enable electronic surveillance on targets overseas. The agency often uses computer flaws to break into targeted machines, but it also has a mandate to warn companies about particularly dangerous or widespread flaws so that they can be fixed.

Rob Joyce, White House cybersecurity coordinator, said, “NSA did not know about the flaw, has not exploited it and certainly the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability.”

The veracity of this statement is largely dependent on the credibility attributed to the person making it. While it is conceivable the NSA did not know about the flaw (leading to it being unable to exploit it), it's laughable to assert the NSA wouldn't "put a major company in a position of risk" by withholding details on an exploit. We only have the entire history of the NSA's use of exploits/vulnerabilities and its hesitant compliance with the Vulnerability Equities Process to serve as a counterargument.

The NSA has left major companies in vulnerable positions, often for years -- something exposed in the very recent past when an employee/contractor left the NSA in a vulnerable position by leaving TAO tools out in the open. The Shadow Brokers have been flogging NSA exploits for months and recent worldwide malware/ransomware attacks are tied to exploits the agency never informed major players like Microsoft about until the code was already out in the open.

These recently-discovered exploits may be the ones that got away -- ones the NSA never uncovered and never used. But this statement portrays the NSA as an honest broker, which it isn't. If the NSA had access to these exploits, it most certainly would have used them before informing affected companies. That's just how this works. As long as exploits are returning intel otherwise inaccessible, the NSA will use the exploits for as long as possible before disclosing this info to US companies. The agency has historically shown little concern about collateral damage and I don't believe putting someone new in charge of the VEP is going to make that much of a difference in the future.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 9 Jan 2018 @ 3:34am

    Fox denies knowledge of huge hole in the fence. Claims it would never harm chickens.

    I think a fellow reader summarized it quite well:

    He who permits himself to tell a lie once, finds it much easier to do it a second and third time, till at length it becomes habitual; he tells lies without attending to it, and truth without the world’s believing him. This falsehood of the tongue leads to that of the heart, and in time depraves all its good dispositions. - Thomas Jefferson

    Source comment

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2018 @ 3:51am

    A scorpion and a frog meet on the bank of a stream and the
    scorpion asks the frog to carry him across on its back. The
    frog asks, "How do I know you won't sting me?" The scorpion
    says, "Because if I do, I will die too."

    The frog is satisfied, and they set out, but in midstream,
    the scorpion stings the frog. The frog feels the onset of
    paralysis and starts to sink, knowing they both will drown,
    but has just enough time to gasp "Why?"

    Replies the scorpion: "It's my nature..."

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 9 Jan 2018 @ 7:48pm

      "It's my nature..."

      A wave of outrage in the frog communities over Scorpion-Rivergate turns into a frog cultural movement towards authoritarianism and nationalism. Scorpions in frog nations are rounded up into concentration camps and put to work. Soon all arachnids are classified as scorpions de facto and interned.

      Frog Supreme Directorship (FSD) publishes a list of under-frogs, persons within frog society or interact with frogs who are either too meek or too dangerous to be tolerated. A bounty is offered to identify underfrogs so they can be be captured and interned. Non-amphians are quickly classified as underfrogs causing a refugee crisis of tens of thousands on the shores of Morocco.

      Soon disabled frogs, frogs with deviant predilections, purple frogs, countercultural frogs, communist frogs, snake sympathizers and state dissenters are counted as underfrogs and rounded up. Supreme Frog announces a New World Order in which Frog Society will prevail and rule over all species for a thousand years.

      Soon, the fifty Frogmacht armor divisions mobilize on the first day of the Great Eastward Frog Offensive to secure Europe and Asia.

      Meanwhile The Secret Frog Administration (SFA) contends with the rising overpopulation of its workcamps and ghettos. Under the new budget, the Frog state can no longer afford to feed and maintain the camps, and a more permanent solution to underfrog redundancy must be found.

      ...or maybe I'm reading too much into the parable.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2018 @ 4:15am

    This is why the government and the NSA hate whistleblowers like Snowden. It gives everyone a reason to distrust them, even when they might be telling the truth.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 9 Jan 2018 @ 4:40am

    "NSA did not know about or use Meltdown or Spectre to enable electronic surveillance on targets overseas."

    However domestically, no comment.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jan 2018 @ 6:30am

      Re:

      Also no comment on untargeted dragnet surveillance.

      From the post:

      The veracity of this statement is largely dependent on the credibility attributed to the person making it.

      It also depends on how much they know. The oversight bodies were surprised by some of the stuff NSA were doing, so why not this guy?

      reply to this | link to this | view in chronology ]

  • icon
    ThaumaTechnician (profile), 9 Jan 2018 @ 5:24am

    Well, given how the NSA mangles language...

    It could be a perfectly true statement.

    Except for the parts where every word in their statement means something completely different from what the rest of the world thinks it does.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2018 @ 5:42am

    but...

    did not != will not

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2018 @ 6:06am

    can't we all just - just get along

    If Intel and AMD (and thus ATI) can work together on a processor, why can't Microsoft and Sony work together on a console. Imagine 1 console codeveloped by these 2 companies released every 6 years--with a mid cycle console (think XBOX 1 X and PS4 Pro -or- the "thin" versions) separately, sold at a lower price,at the mid point between each 6 year upgrade. Like this: in 2020 the SonyMicrosoft Box is released, in 2023 the XBOX.5 and PSX Pro are each released on the same day for half the cost of the SonyMicrosoft box, in 2026 the SonyMicrosoft Box 2 is released. Problem solved: no more exclusive titles & no more console wars. (Toyota and Subaru did something like this with the Toyota 86 and Subaru BRZ).

    Also: high frame rates and high graphic fidelity are not necessarily mutually exclusive. Just give gamers the option to choose between the two with a check box or slider or something:
    -click this box for 60 fps gameplay with medium graphics
    -click this box for high graphics with slower than 60 fps
    Some might ask "why can't there be a 3rd box -click this box for 60 fps with high graphics"? Well, that 3rd box could exist, but the price of the console would then be prohibitive.
    Just thinking out loud...

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 9 Jan 2018 @ 6:11am

      Re: can't we all just - just get along

      My god, you gamers are stupid.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Jan 2018 @ 6:37am

        Re: Re: can't we all just - just get along

        As a REAL gamer, no, this person is not a gamer. Please do not confuse the two of us.

        Real gamers understand that what this person says is the dumbest thing ever. While multiple console exclusives can be annoying, it is great for competition and forces Microsoft and Sony to constantly compete and try to outdo each other. It's one of the things that has led to the booming and vibrant game market today. A collaboration would be horrifying.

        Also, @OP, that third box you want? It's called a PC and it's not cost prohibitive.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 9 Jan 2018 @ 7:01am

          Re: Re: Re: can't we all just - just get along

          That wasn't my point. (Although you're correct.) My point is that this utterly worthless moron dropped a comment into a serious thread about a major security problem (and the NSA's possible knowledge of it) that had absolutely nothing to do with the topic at hand, only with his pathetic obsession with games. This is a painful level of stupid, particularly when I have to face it too early in the day to resort to booze.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 9 Jan 2018 @ 7:38am

            Re: Re: Re: Re: can't we all just - just get along

            My apologies.

            I agree, the OP was very off-topic. The way you worded your response, "you gamers", led me to believe you were referring to all gamers, not just this one particular poster. Sorry for the misunderstanding.

            reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 9 Jan 2018 @ 9:29am

            Re: Re: Re: Re: can't we all just - just get along

            We already know the NSA, Spectre, and Meltdown exist. A new superconsole though? That would be news.

            reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 9 Jan 2018 @ 7:10am

          Re: Re: Re: can't we all just - just get along

          Not everyone can afford both systems at the same time though, and the video card alone, on a gaming PC, can be way more expensive than a console (cough Nvidia TITAN). If only there were some type of emulation mode on each console (like Win XP mode on Win 7) that would let you play Crackdown on PS4...

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 9 Jan 2018 @ 7:41am

            Re: Re: Re: Re: can't we all just - just get along

            you don't have to buy a fucking $600 gaming card. PC is just cheaper over the long haul no matter how you slice the pie!

            They last longer and are upgrade-able. Consoles die a lot and youare beholden to a MFG for your shit. Take nintendo and all the people that lost games becuase they were bound to their consoles or when a MFG wipes your game saves out when fixing your shit.

            Console buyers deserve the miseries they get!

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 9 Jan 2018 @ 7:53am

              Re: Re: Re: Re: Re: can't we all just - just get along

              It's just performance vs. convenience. PC's are far more capable of higher frame rates and graphics than consoles, but there's something to be said for the ease of use(and now portability thanks to the Switch) of consoles.

              When I grow up, I'm gonna make a high end PC, capable of whateverK HDR gameplay at over 60fps, that also has a dock for it's included portable (4K HDR >60fps) gameplay device. A PC/Switch combo.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 9 Jan 2018 @ 7:58am

                Re: Re: Re: Re: Re: Re: can't we all just - just get along

                Try a gaming laptop. Easy to use and very portable with desktop level graphics capability.

                reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 9 Jan 2018 @ 7:58am

                Re: Re: Re: Re: Re: Re: can't we all just - just get along

                Don't worry. The next Switch will be PC compatible (dockable), and will stream all games to your TV, and will play at higher framerates/graphics when PC docked.

                #calledit

                reply to this | link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 9 Jan 2018 @ 9:04am

                  Re: Re: Re: Re: Re: Re: Re: can't we all just - just get along

                  Right now I would not bet on streaming being a good solution. It will add latency to your gaming. Every MS you add to your reaction time just means you get fragged more often.

                  I play on a 65 inch Samsung QLED that has about 21ms of delay. My human reaction time is around 100~200 ms, but add that to the delay from my TV and I am instantly 10~21% slower just because my TV has 21ms worth of input lag, it really adds up.

                  I have had situations where I had an older TV that I played on and my friends would mow me down constantly. With my new lower Lag TV I actually am able to win slightly more than 1/2 the time. The difference is noticeable.

                  reply to this | link to this | view in chronology ]

                • icon
                  An Onymous Coward (profile), 9 Jan 2018 @ 4:28pm

                  Re: Re: Re: Re: Re: Re: Re: can't we all just - just get along

                  There are already products on the market that do this.

                  reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 9 Jan 2018 @ 7:54am

            Re: Re: Re: Re: can't we all just - just get along

            If gaming is truly your passion and you absolutely have to have all exclusives for every console (been there, done that, got the t-shirt) then I'm certain you can find a way to make enough money to buy each and every console. I managed to do it before I had a regular job by saving birthday and Christmas money and doing odd-jobs for people in the neighborhood.

            As for the cost of a graphics card for a gaming PC, you don't need anywhere near an Nvidia TITAN to game on high settings. The TITAN is overkill for 99% of all games. If you watch sales and prices you can EASILY pick up a pre-made gaming desktop or laptop for sub-$1000. No it won't be a screaming machine but it will play all games at better than medium graphics without dipping below 60 fps.

            If you, for some reason, just can't find a decently priced pre-built system to your liking, you can always buy the components yourself and build a custom rig.

            WinXP mode on 7 was and is a joke. That was a piece of junk that barely worked. There is FAR better emulation software out there.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 9 Jan 2018 @ 9:09am

              Re: Re: Re: Re: Re: can't we all just - just get along

              ahh... the "no true Scotsmen" argument? really?

              I make more than enough money to easily afford every console made. I do have an Nvidia 1080 water cooled and could afford either of the Titan cards too, but its a waste of money to go that high, hell the 1080 is a waste of money but bragging rights I guess.

              Gaming is a passion so much that I have been learning Unity 3d to see if I can make my own game as an indie and make a living there. But I will never buy another console because I hate the monopolies.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 9 Jan 2018 @ 9:27am

                Re: Re: Re: Re: Re: Re: can't we all just - just get along

                ahh... the "no true Scotsmen" argument? really?

                No, sorry if I was unclear. It doesn't have anything to do whether he is a true gamer or not. All I meant was that if it was truly that important to him to have every console exclusive, then he should have no trouble finding ways to earn/save enough money to buy them.

                reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Jan 2018 @ 7:12am

        Re: Re: can't we all just - just get along

        don't taze me bro!

        reply to this | link to this | view in chronology ]

    • icon
      JoeCool (profile), 9 Jan 2018 @ 6:13am

      Re: can't we all just - just get along

      Intel and AMD don't work together on anything. At best, they each license designs for the other to use (AMD - the basic x86 patents, and misc other things like SSEx, Intel - the AMD64 extension, mainly). You really don't WANT the two major players in an industry working together - that's called collusion and leads to Bad Things. Sony and MS working together would not result in the best of both worlds; history shows it would result in the WORST of both worlds... for the consumer. Things get better when the major players compete.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jan 2018 @ 6:33am

      Re: can't we all just - just get along

      Problem solved: no more exclusive titles & no more console wars.

      Exclusive titles are not a problem for Sony and MS. They pay developers to make stuff exclusive to their platforms.

      reply to this | link to this | view in chronology ]

    • icon
      Wolfie0827 (profile), 9 Jan 2018 @ 7:05am

      Re: can't we all just - just get along

      I have the name for this console. The S&M Console
      (Do I really need to explain that?)

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Jan 2018 @ 7:11am

        Re: Re: can't we all just - just get along

        whaaa?

        reply to this | link to this | view in chronology ]

        • icon
          JoeCool (profile), 9 Jan 2018 @ 8:39am

          Re: Re: Re: can't we all just - just get along

          I guess it does need explaining. :D He's alluding to the fact that Sony and MS working jointly on a console would bring forth the WORST of both, making the result sadistic for any masochistic customers of said console.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jan 2018 @ 7:38am

      Re: can't we all just - just get along

      gaming consoles are stupid and monopolistic. I stopped buying them. I got tired of not being able to play with my friends because they had the wrong platform.

      consoles need to die, everyone needs to just join the PC master race and not because I am a fan boi. But because we need to stop letting these fucking gaming companies develop monopolies. If I could play games with PC/XBOX/PS/Nin players then I would not give a fuck, but I am sick of the monopolies.

      If you bought a gaming console then you are directly funding the problem.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Jan 2018 @ 9:48am

        Re: Re: can't we all just - just get along

        Not sure what you mean by monopolies. There are a minimum of 3 major gaming console makers. In addition you have the mobile and PC platforms.

        The fact that they don't have cross-platform multiplayer doesn't make them monopolies. And if you want to really complain about that, blame Sony. Microsoft is really opening up to cross-platform and so is Nintendo (not their first party games but many third party ones).

        If you're upset because you have a different platform than your friends, then that's not really the console makers' fault. Go get a different console or become a PC gamer if all your friends game on PC.

        Do changes need to be made in the console world? Yes, but they themselves aren't inherently a problem or bad. I've owned most major consoles up to the Xbox 360 and been perfectly happy.to play.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Jan 2018 @ 12:20pm

        Re: Re: can't we all just - just get along

        How TF are they "monopolistic?" WTF are you talking about?

        reply to this | link to this | view in chronology ]

        • icon
          The Wanderer (profile), 9 Jan 2018 @ 3:41pm

          Re: Re: Re: can't we all just - just get along

          I think that's based on the idea that "the makers of the console pay, or otherwise induce, the makers of a particular game to release it as an exclusive for a single console" is monopolistic behavior, in that it's an artificial limitation on the breadth of the market availability of the game.

          I don't know how common that type of exclusivity is nowadays, but at one point in my awareness of the gaming industry, the impression was that it was nearly standard.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 9 Jan 2018 @ 5:04pm

            Re: Re: Re: Re: can't we all just - just get along

            It did used to be pretty standard but now it's actually pretty rare aside from first party titles (e.g. games made by console makers or studios they own, like Nintendo Mario, Sony Ratchet and Clank, etc...).

            Independent big name games like CoD and Battlefront are multi-platform because they get better sales the more platforms they are on. Whereas first party titles made by the console maker give people a reason to buy their specific console.

            reply to this | link to this | view in chronology ]

            • icon
              The Wanderer (profile), 11 Jan 2018 @ 5:33am

              Re: Re: Re: Re: Re: can't we all just - just get along

              I would consider that to be a different type of exclusivity, and not include it under the same heading for determining - er - common-ness.

              There's a considerable difference between "We're going to release this for our own platform and nothing else, because we want to" and either / both of "If you release this for any platforms other than ours, we'll penalize you" or "If you release this for only our platform, we'll reward you".

              reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2018 @ 6:34am

    The flaw in the tlb

    was disclosed within the *nix community 11 years ago. The NSA knew it and did Apple, Microsoft, Intel, ARM, AMD, IBM, etc.

    IBM researched it and that is why OS/390 running on X86 doesn't suffer from the flaw.

    This isn't an NSA problem, this is a problem with the tech companies who buried the heads in the sand.

    reply to this | link to this | view in chronology ]

  • identicon
    pegr, 9 Jan 2018 @ 6:38am

    Old news?

    Familiar with OpenBSD? Theo de Raadt is the Linus Torvalds of OpenBSD. He's cantankerous, sometimes rude, very passionate, very intelligent...


    And he called this whole mess 11 years ago!

    https://marc.info/?l=openbsd-misc&m=118296441702631&w=2


    As a result, OpenBSD required NO patches for this issue. The workarounds have been in the code since this issue was spotted by Theo. 11 years ago. The information was there. But no one listened.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jan 2018 @ 6:58am

      Re: Old news?

      Theo is sarcastic, condescending, and absolutely perfect for the role of managing OpenBSD. He punishes stupidity ruthlessly -- as it should be punished. So it's not a surprise at all: he's called out other vulnerabilities years in advance of general public awareness of them.

      OpenBSD isn't perfect, of course. Nothing is. But it's so far ahead of everything else that there's really no debate to be had. And the biggest reason why it's so is that Theo wants it that way. Kudos to him.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2018 @ 6:51am

    *Why* didn't they know?

    Cache attacks, and side channels in general, have been all the rage over the past year or two. And particularly after Rowhammer, researchers made good progress in reverse-engineering CPU cache behavior in detail. E.g., "On 27 March 2017 researchers at Austria's Graz University of Technology developed a proof-of-concept that can grab RSA keys from SGX enclaves running on the same system within five minutes by using certain CPU instructions in lieu of a fine-grained timer to exploit cache DRAM side-channels." Or see how a researcher got really close to finding it last August; or how quickly people started looking in the right areas once they got suspicous of those Linux patches, and figured it out from AMD's statement.

    If the NSA didn't know, it reflects poorly on their capabilities. It was obvious to everyone that this was a fruitful research area, and most researchers are using imprecise and slow black-box reverse-engineering methods. With the NSA's resources, they should already have figured out in detail how the CPU's caches and speculative executors work—the government computers they're supposed to defend (and attack) are depending on it after all. Based on research trends they should've had a team looking for stuff like this by 2016 at the latest; and it shouldn't have taken them more than a few months to find these exact bugs.

    Crypto researchers used to say the NSA was a decade ahead of the public. Whether they knew of Meltdown or not, they certainly don't seem that far ahead anymore.

    reply to this | link to this | view in chronology ]

    • identicon
      Dirk Diggler, 9 Jan 2018 @ 9:21am

      Re: *Why* didn't they know?

      they had access they are just lying like with all of their statements...

      Disinformation works best

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2018 @ 7:18am

    what about MINIX

    is the MINIX OS vulnerability in the Intel processors addressed in Meltdown or Spectre?

    First Apple is throttling crap, now this Intel mess. Next they're gonna be telling us that Santa Clause isn't real.

    If it's man built, it's not perfect, because man is not perfect.

    reply to this | link to this | view in chronology ]

    • icon
      David (profile), 9 Jan 2018 @ 3:54pm

      Re: what about MINIX

      No. That is a completely separate issue.

      As is the licensing of Minix.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Jan 2018 @ 6:25pm

        Re: Re: what about MINIX

        Not entirely separate: MINIX is likely affected by this problem too. (Apparently the CPU's built-in copy of MINIX runs on a tiny 486-class CPU which isn't vulnerable. But MINIX running as the main OS would be.)

        reply to this | link to this | view in chronology ]

  • icon
    Seegras (profile), 9 Jan 2018 @ 7:20am

    would never put a major company like Intel in a position of risk

    Wannacry?

    In other words: Already did. ALL major companies and everyone else IN THE WHOLE WORLD. For three years.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2018 @ 7:46am

    how about

    also introducing vulns?

    https://www.reuters.com/article/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331

    https://www.theve rge.com/2013/12/20/5231006/nsa-paid-10-million-for-a-back-door-into-rsa-encryption-according-to


    Not only would the NSA absolutely and GLEEFULLY abuse vulnerability they will PAY companies to put them into their products intentionally!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2018 @ 9:15am

    The NSA has an interesting relationship with "knowing"

    "NSA did not *know* about the flaw, has not exploited it and certainly the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability."

    Clapper: "Not knowingly."

    Translation: NSA doesn't need meltdown/spectre, because it already owns the Intel Management Engine and "Trusted" Execution Engine.

    reply to this | link to this | view in chronology ]

  • identicon
    Joel Coehoorn, 9 Jan 2018 @ 9:33am

    I fixed it for you

    > "affecting millions of processors"

    Should be:

    > affecting billions of processors

    Cue the Dr Evil impressions now.

    reply to this | link to this | view in chronology ]

  • icon
    sehlat (profile), 9 Jan 2018 @ 9:44am

    Heinlein On Lying

    ...once a man gets a reputation as a liar, he might as well be struck dumb, for people do not listen to the wind.

    reply to this | link to this | view in chronology ]

  • identicon
    Lawrence D’Oliveiro, 9 Jan 2018 @ 10:29am

    If They Didn’t Know ...

    ... then they are a bunch of useless incompetents. Because the unclassified research community is now doing a better job of uncovering such vulnerabilities than they are.

    The NSA might as well be shut down.

    reply to this | link to this | view in chronology ]

  • identicon
    Jose Conseco's finger, 9 Jan 2018 @ 10:32am

    not smart enough for the lying game

    Given the NSA's inability to do things like unlocking an iphone a while back, i can believe that they wouldn't know about this exploit...or about any exploit in general. Even if they were told about it, they'd either A) deny it, or B) ignore it until something bad happened, and then take measures to ensure somebody that isn't them was to blame.

    reply to this | link to this | view in chronology ]

  • icon
    Mononymous Tim (profile), 9 Jan 2018 @ 10:39am

    Even IF they didn't know about (HA!!!), they sure as heck are using it now.

    reply to this | link to this | view in chronology ]

  • identicon
    Lawrence D'Oliveiro, 9 Jan 2018 @ 11:30am

    In Other News ...

    ... Bruce Schneier is predicting that, now that security researchers are taking an interest in microprocessors, more such unpleasant discoveries are likely to come.

    reply to this | link to this | view in chronology ]

    • identicon
      Thad, 9 Jan 2018 @ 3:44pm

      Re: In Other News ...

      I'm hoping this leads to greater interest in open hardware. Obviously just because something is auditable doesn't mean it won't have vulnerabilities, or that they won't go unnoticed for years (see OpenSSL), but it still beats proprietary black boxes.

      Keeping an eye on RISC-V.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Jan 2018 @ 5:31pm

        Re: Re: In Other News ...

        Keeping an eye on RISC-V.

        That does look the most promising. There are a few others:

        I'll be interested in playing with these open CPU projects once the general FPGA-development clusterfuck (i.e. the requirement for proprietary tooling) is resolved. There's Project IceStorm but it supports fairly weak FPGAs only.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jan 2018 @ 5:20pm

      Re: In Other News ...

      Bruce Schneier is predicting that, now that security researchers are taking an interest in microprocessors, more such unpleasant discoveries are likely to come.

      Not much of a prediction, really: "Though Intel was indeed working on a fix, the Graz team wasn't the first to tell the chip giant about the [Meltdown] vulnerability. In fact, two other research teams had beaten them to it. Counting another, related technique that would come to be known as Spectre, Intel told the researchers they were actually the fourth to report the new class of attack, all within a period of just months." (from Wired)

      Look at the crazy history of multiple discovery too. It's (one reason) why patents are unfair, and delayed bug disclosure is dangerous.

      Someone posted a link to a decades-old CPU design book saying that obviously speculative fetching must be prevented from crossing privilege levels; and lots of links to old messages where people almost figured out the bug. Researchers have been pushing hard at these parts of the CPU for the last couple of years in particular. Hell, I don't know much about it, and when I saw that AMD message I looked at Intel's optimization guide and thought the BTB stood out (involved in prediction, has a fair bit of state, and severely underdocumented).

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.