back to article SHL just got real-mode: US lawmakers demand answers on Meltdown, Spectre handling from Intel, Microsoft and pals

Four Republican members of the US House of Representatives sent letters on Wednesday to the leaders of Amazon, AMD, Apple, ARM, Google, Intel and Microsoft seeking answers about how the embargo on the Meltdown and Spectre bugs was handled. The secrecy agreement, put in place by these same companies, demanded silence from June …

  1. Anonymous Coward
    Anonymous Coward

    Cloud Sales Up

    Bet this doesn't make the slightest bit of difference to dent Cloud sales / Cloud-sourcing and cost control. Maybe there needs to be a fund, like an insurance pool for the tech industry... Where vulnerabilities are disclosed to trusted Orgs & Individuals. But also where ethical hackers can claim income / reward for not disclosing vulnerabilities publicly until a fix is ready???

    https://www.bloomberg.com/news/features/2018-01-18/intel-has-a-big-problem-it-needs-to-act-like-it

    1. BillG Silver badge
      Megaphone

      Re: Cloud Sales Up

      In addition to our recent meetings with legislative staff members, we have been discussing with the Committee an in-person briefing, and we look forward to that meeting... and we will bring our checkbooks to support their re-election campaigns."

  2. Brian Miller

    No Home for Insecurity

    The House of Representatives earlier this month approved the "Cyber Vulnerability Disclosure Reporting Act," to ensure that the Department of Homeland Security tells elected officials about its policies and procedures for bug reporting.

    OK, Homeland (in)Security will tell us about its reporting practices, which means nothing. Headline: Government's Most Useless Agency Takes Lead Reporting Nothing.

    No, what's needed is not more hand-wringing and angsty looks, but to simply throw out this embargo business altogether. You got a security leak? It hits the news. You got a database hack? It hits the news. You got bug X? Same deal, news.

    In theory, hackers will exploit everything. Well, aren't they doing that now?

    1. a_yank_lurker Silver badge

      Re: No Home for Insecurity

      While there is almost certainly a bit of posturing by the Congress Critters, the fact there are no reliable patches for these problems from anyone is troubling. Compounded with patches do not seem to coming in the immediate future. While the real danger to users is uncertain at this point, there are more immediate damaging exploits in the wild, the collective blundering invites scrutiny..

    2. teknopaul Bronze badge

      Re: No Home for Insecurity

      No bounty will get paid if you disclose the day you find a bug.

      If you get rid of the legit market for bugs the only market is the black market.

  3. Andy Mac
    Paris Hilton

    Where’s the awful backronym?

    I was expecting something like the VULnerability Verification Act.

  4. Anonymous Coward
    Anonymous Coward

    Did the Reg contact Intel etc?

    Reading

    However, unaware of any embargo and after some detective work, The Register broke the news a week early, on January 2, 2018.

    Did you contact any vendors prior to release this news?, if so what responses?

    1. teknopaul Bronze badge

      Re: Did the Reg contact Intel etc?

      Vulture: hi can I speak to someone about the upcoming security snafu

      Intel: sure, let me put you through to marketing.

    2. This post has been deleted by a moderator

  5. alain williams Silver badge

    Look at the dates ...

    It was known about for over half a year; el Reg blew the gaff a week early; only then did Intel & others release microcode to mitigate the problems. But that microcode was buggy, it crashed systems.

    So are we to assume that in that last week they were going to test, debug & distribute fixed microcode ?

    I would like to know what they spent that half year doing - other than sticking their heads in the sand.

    1. Anonymous Coward
      Anonymous Coward

      Re: Look at the dates ...

      Yes, you should be asking about the dates. Click on the link in The Register's article with ARM's response: "a white paper and mitigation code". Note the phrase "Cache timing side-channels are a well-understood concept in the area of security research and therefore not a new finding." Well I guess ARM would say that as they are largely unaffected.

      Now try searching Google for "Flaw in Intel chips could make malware attacks more potent" and read the ARS Technica article and note the date - 2016:

      "Modern CPUs rely on the branch predictor to speed up operations by anticipating the addresses where soon-to-be-executed instructions are located. They speculate whether a branch is taken or not and, if taken, what address it goes to. The buffers store addresses from previous branches to facilitate the prediction. The new technique exploits collisions in the branch target buffer table to figure out the addresses where specific code chunks are located."

      Sound familiar?

      It should be - search for "Daniel Gruss" in Google and you will note he has worked on Prefetch Side Channel attacks as far back as 2016, oh, and also Meltdown and Spectre!

      Don't you find this rather strange that it was "discovered" by Google in mid 2017? Why were we not patching as far back as 2016? The cynic in me can't help thinking that this may have suited certain security agencies for this not to be patched... or was it not disclosed because of the innevitable fall out on Intel... and I suppose Intel's CEO just happened to get really lucky selling all those stocks too...

      Then there's Google. Most Google products run on ARM and not Intel. Their new Fuchsia OS first appeared on Github in August 2016. This OS has a microkernel - Zircon (previously Magenta). I wonder if this OS is vulnerable to Meltdown or Spectre?

      Google's project zero is more political than it is for finding and fixing security problems. How many times has Google publicly released Microsoft vulnerabilities in the past before Microsoft has had a chance to patch them? CVE-2017-0037 is just one example.

      I wonder who could possibly benefit if Microsoft and Intel were publicly discredited? Hmmm....

  6. kev whelan

    Panic

    Having released the news early, you cab hardly be surprised about the ensuing panic, can you now ?

    1. Chairman of the Bored Silver badge

      Re: Panic

      No downvote because I can kind of see where you are coming from, but the lack of quality apparent in the mitigation makes one question whether the industry had any real intention of fixing the problems.

      The purpose of a free press in a democracy is not entertainment; it is a feedback mechanism that exposes problems. In this case, it delivered a pretty well timed kick in the arse to the right target.

      When I was in gov't service we would ask each other and ourselves, "Yeah, this may be legal... But would we want ourselves on the front cover of the Washington Post doing it?"... "No?!" ... "Then FFS stop doing it!"

    2. Ben1892

      Don't Panic

      So following that through, none of the players had their "Don't Panic" media campaign planned, spokespeople briefed, copy written and fixes ready. But instead, they were going to do that all in the week before the embargo was lifted.

      I know we think El Reg is the centre of the universe, but you know what, I don't think that many people pay it much attention, not enough to cause looting and world chaos anyway ;)

      1. 404 Silver badge

        Re: Don't Panic

        El Reg is generally ahead of the curve, so bad luck to the looting and world chaos folks... El Reg commentards get the opportunity to loot and cause world chaos *first*.

        :)

  7. David Nash Silver badge
    Joke

    Apple

    Were part of the organised embargo, according to the article. I guess that's why El Reg. knew nothing about it

  8. TaabuTheCat

    El Reg "broke the news" - really?

    Sorry for the rant El Reg, I still love you, but I'm getting annoyed with the constant chest thumping about "breaking the news" on Meltdown and Spectre. I found out about it on Reddit a day before El Reg wrote the first story. (You too??)

    Guess in your world reading about it somewhere other than a "news" site doesn't count, but in my book when someone "breaks the news", it's typically novel information they discovered, usually through investigation or research, not something being publicly discussed for a day on one of the world's most frequented websites. Just feels like you're taking credit (over and over again) where it's not due.

    Maybe I have it all wrong - maybe you were hot of the trail of Meltdown weeks before you "broke" the story, but you made no mention of any investigation in your original piece and the details in the original story looked a lot like a rehash of sources being quoted on Reddit from the day before.

    Feel free to correct me if I have this all wrong. I may have simply got up on the wrong side of the bed this morning.

  9. Anonymous Coward
    Anonymous Coward

    NSA

    So, was the NSA exploiting these bugs? (That's mostly a rhetorical question, of course.)

  10. MAH

    What I can't figure out is why all the panic from these vendors who knew it has been around since July. I mean really...did intel only write and test the BIOS update the week before the official notification.

    They had realistically Oct-Dec to actually do testing and refine the BIOS updates in concert with all the other vendors patches...which considering vendors had 3 months to create the patches and 3 months of testing should have meant that the early notification should have been no big deal....

  11. sisk Silver badge

    They knew about the problem for 6 months and panicked because Reg broke the story a week early? Shouldn't the fix have been ready and just waiting for someone to hit the button to distribute it by then? Perhaps there's a reason that the fix Intel sent out looks like a bodged together mess.

  12. Anonymous Coward
    Anonymous Coward

    Looks are telling

    As a consultant working on an aspect of this problem, I asked management what have you done previously before you called me? They all just kept desperately eyeing to a man sitting in the corner of the room. To their horror, I knew who that man was.

    I hope that at the end of this fiasco, a nice case study gets written up before the movie comes out.

  13. Nimby
    Mushroom

    Two Pseudo-Randomly Generated Thoughts

    1. This is the Information Age; knowledge disseminates. People who think security by obfuscation is helping anyone really need to wake up and smell the coffee.

    2. Not only does it not make any sense to have not fully tested a fix for a problem known for so long, but it makes even less sense to not have released the fixes out early (under the guise of something else if necessary) so that by the time the official reveal is made, there's actually nothing to report other than "problem solved". So this seems like a massive double-fail in handling these issues.

  14. Glen Turner 666

    Is that a log in your eye I see before me?

    No one wants to deal with the government agency empowered and best placed to deal with high impact cybersecurity issues -- the NSA. Until the US Government fixes this, criticising non-government entities is pointless.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019