back to article Intel alerted Chinese cloud giants 'before US govt' about CPU bugs

Intel warned Chinese firms about its infamous Meltdown and Spectre processor vulnerabilities before informing the US government, it has emerged. Select big customers – including Lenovo and Alibaba – learned of the design blunders some time before Uncle Sam and smaller cloud computing suppliers, The Wall Street Journal reports …

  1. Anonymous Coward
    Anonymous Coward

    "We certainly would have liked to have been notified"

    US Patriotism my ass.... At ballgames and barbeques you'll see a lot of hats-off, hand-on-heart anthem blare-outs... But when it comes to big-biz, especially US tech giants, patriotic duty is only to their own bottom line.

    1. cbars

      Re: "We certainly would have liked to have been notified"

      Hello, I'm a Brit.

      If a UK company responsibly disclosed a vulnerability to affected vendors, ahead of GCHQ, I'd say great, and I don't think they'd complain either. Patriotism doesn't come into it unless you actually see the rest of the planet as your enemy. I know that's true for some American politicians but do you really think 5eyes should have first refusal on all vulnerabilities? I'd rather the spooks representing me developed real investigative techniques rather than depending on flaws - makes them lazy and inclined to lean on standards bodies to try to prevent innovation and improvement. The more secure the software everyone uses, the easier it is for the spooks to defend us from our real enemies, although it does make it harder from them to spy on us so some might not see it that way.

      1. tom dial Silver badge

        Re: "We certainly would have liked to have been notified"

        So Intel, Google, et al. declined to notify "lesser" users as well as the US and presumably allied governments of defective processors, but notified foreign purchases of the processors, assuming, apparently, that those purchasers would be equally reticent with their government. While not proved, it is both possible and plausible that the Chinese government agents presumed responsible for raiding the US OPM for millions of SF-86 and similar files (including a couple of mine) had more than a month lead over the US in preparing and perhaps deploying exploits based on these defective chips, as well as in preparing to defend China's infrastructure against such exploits.

        Given the sometimes astonishing leaks from US government agencies and the apparent eagerness of some media to publish anything juicy that comes their way, that may be understandable. Given that the main companies involved in this instance are homed in the US, I expect their managements may shortly come to see omitting DHS from the notification to have been a bit shortsighted, however.

        It is not necessary, or true, that the Five Eyes SigInt agencies view "the rest of the planet" as enemies to understand their behavior. For one thing, that determination is largely the province of the political classes. There are, of course, a few enemies as well as quite a few more adversaries, not to say a number of deeply religious groups so enlightened as to send their young men, and sometimes women and children to blow themselves up and take out some of the heathen in their quest to bring them enlightenment. The "rest of the planet" is not peopled entirely by nice people cheerfully engaged benignly in the pursuit of happiness; not, at least, by my standards. The implication that these agencies are engaged principally in internal spying exhibits considerable ignorance, possibly willful, of their primary purpose, the somewhat accidental structure of the Internet, and the general decency, and the legal controls and resource limits, that restrict what they actually do to far less than what they have, necessarily, the capability to do to accomplish their primary mission: to collect and analyze information to form judgments about the true interests, desires, capabilities, and intentions of overwhelmingly foreign actors.

        1. big_D Silver badge

          Re: "We certainly would have liked to have been notified"

          It looks like AMD did the same, my Asus motherboard received a partial Spectre patching update in December.

          I would say this is standard practice, the whole supply-chain needs to be informed (I'm betting Dell and HP were also informed at the same time as Lenovo, for example), so they can make a co-ordinated release of patches, when the situation is made public. (Kiboshed by El Reg jumping the gun by a week.)

          And, according to El Reg, the Linux Kernel people were also informed in advance, or at least a small team of them, probably Intel employees, so that the Linux Kernel was patchable for when the announcement was planned.

          Likewise Microsoft (and Apple), as the 2 major players in desktop, they were informed in advance, so they could patch in time for the announcement.

          Google didn't need informing to patch their infrastructure, as they were among the people who found the problems.

          I'd guess the biggest cloud providers, who weren't already informed as above, were then informed in order of size / importance, aka Amazon, then everyone else.

          Given that Intel needed to get microcode changes done and out to Microsoft, Apple and Linux Kernel, manufacturers needed to implement BIOS updates and MS, Apple, Linux, Google etc. needed to then triage their operating systems to close the wholes or mitigate the problems, it isn't unreasonable that they were informed ahead of hosters and governments.

          1. Ken Hagan Gold badge

            Re: "We certainly would have liked to have been notified"

            "the whole supply-chain needs to be informed [...] so they can make a co-ordinated release of patches, when the situation is made public"

            If you are going to inform the whole supply chain, that makes it public. You can't keep a secret between (quite probably) several hundred people across several dozen organisations in several countries.

            1. big_D Silver badge

              Re: "We certainly would have liked to have been notified"

              In legal theory, yes, you can keep it secret. That's why it gives non-disclosure agreements between companies and, if you are getting such information within a company, you usually have a non-disclosure with your employer, that you can't even talk to colleagues outside of your team or a defined list of people who are also in on the problem.

              I've been involved in several projects where dozens of people had to sign-off on such NDAs in order to be able to work.

              They are usually also punitive, so if you blab, you not only lose your job, but could be liable for damages caused. Obviously, some disgruntled employees might still blab, in practice, but they could find themselves in bankruptcy court very soon thereafter.

      2. boltar Silver badge

        Re: "We certainly would have liked to have been notified"

        "Hello, I'm a Brit."

        Thankfully not representative of all of us brits.

        "If a UK company responsibly disclosed a vulnerability to affected vendors, ahead of GCHQ, I'd say great, and I don't think they'd complain either. "

        Oh I don't think they'd be too thrilled though they wouldn't say so in public.

        "Patriotism doesn't come into it unless you actually see the rest of the planet as your enemy"

        If you think just because another country isn't your direct enemy they wish you health, happiness and want to skip down the street together hand in hand and wouldn't use underhand tactics to gain a commercial or military edge then I've got a bridge for sale you might be interested in.

        "I'd rather the spooks representing me developed real investigative techniques rather than depending on flaws"

        Awww, bless, how touchingly naive :o) Because obviously our intelligence services shouldn't use every tool available tool and technique to them, no no, they should stick to old fashioned techniques because otherwise its Just Not British, right?

        I'm going to take a guess that you're fairly young and so don't really have a good grasp of human nature, still being at that stage where you think the world and peoples motives are all black or white. Life isn't like that, its all shades of grey. Perhaps one day you'll understand.

      3. Fourcheeze

        Re: "We certainly would have liked to have been notified"

        "Patriotism doesn't come into it unless you actually see the rest of the planet as your enemy."

        Exactly this. Ideally all vulnerabilities should be posted to the same place for all to see, but you can't blame Intel for looking after their biggest customers.

  2. Patched Out

    Thanks Intel

    Nice to see you have our back. Not!

    Makes me feel even better that I've used exclusively AMD processors for my personal builds over the last 20 years!

    1. Pascal Monett Silver badge

      Re: Thanks Intel

      It is the inevitable consequence of the term : multinational.

      Intel is NOT a US company, it is a world company.

      This is the obvious consequence.

      1. joed

        Re: Thanks Intel

        well, let's see where they are incorporated

        1. Destroy All Monsters Silver badge

          Re: Thanks Intel

          Intel is NOT a US company, it is a world company.

          Complete bullshit with a side order of more bullshit.

        2. Anonymous Coward
          Anonymous Coward

          Re: Thanks Intel

          I'm not sure it really matters where a company is incorporated. Where it does business is perhaps more important, seeing as doing business in a country typically makes one subject to the laws of that country. In any case, big international companies tend to have a complex structure with lots of entities incorporated in lots of places, including dodgy tax havens where they don't do much real business.

          I think it's fair to assume that the Chinese government would be unhappy if Intel were to overtly tell the US government about security bugs before telling major Chinese customers. But probably there are US spies inside Intel anyway. And perhaps also Chinese spies. These things can't really be kept secret for very long, so early public disclosure is good.

          1. John Brown (no body) Silver badge

            Re: Thanks Intel

            "I think it's fair to assume that the Chinese government would be unhappy if Intel were to overtly tell the US government about security bugs before telling major Chinese customers. "

            Not to mention that this is the sort of bug that commercial customers would be only too happy to honour an NDA. Whereas informing Govt. early, all it takes is one politician, possibly looking at a forthcoming election, who wants some extra publicity and the NDA is in the bin, on fire.

  3. Anonymous Coward
    Anonymous Coward

    Take bazooka, aim at foot

    It will be interesting how will the SEC and DOJ look at the trades done by Intel management during this period.

    USA government is renowned for its impartiality, sticking to the same rules for everyone and never ever going on vindictive sprees. Ask Qwest communications for a reference if you do not believe me...

  4. Herby Silver badge

    Possible word to wise...

    El Reg is really on top of things. Be well advised to monitor it closely.

    Look, if Vulture Central is being noted in the WSJ, it must be doing something right.

    Can't say much for Chipzilla Intel or others. Some genetic diversity in chip designs might be something to strive for. Of course I long for 68k processors, but that is another story.

    1. choleric

      Re: Possible word to wise...

      Yes, but El Reg is only noted with faint praise. Did you see how WSJ only said that the news became widespread the day AFTER El Reg broke it? The point being that our beloved IT Red Top is small fry.

      1. Notas Badoff

        Re: Possible word to wise...

        "... is small fry"

        and noted by big money and governmental crews.

        Even TheInquistor had to mention ElReg.

        I think I smell piquancy.

      2. Adam 1 Silver badge

        Re: Possible word to wise...

        Not sure small fry is the best description. Its readership is no doubt smaller than WSJ, but that is because it covers only* IT news and the other masthead is generic need and analysis. It is unsurprising that it takes some time for such news to be distilled down to a level where their readership actually gets the gist of the fact it is going to affect them. I mean, how do you explain speculative branch prediction or kernel mode to someone with no understanding of computing architecture? You could reasonably explain a side channel attack by an analogy (eg a thief cloud check your water meter over a few days to determine whether you're on holidays), but this stuff is complex.

        *almost

        1. choleric

          Re: Possible word to wise...

          Hey, don't shoot the messenger. I'm not saying I think that El Reg is small fry, just pointing out that WSJ wasn't above belittling it, which wasn't big of them.

      3. gerdesj Silver badge

        Re: Possible word to wise...

        "Yes, but El Reg is only noted with faint praise."

        To be honest, all articles I read related to this mentioned el Reg as source, faint or otherwise. I think you'll find that el Reg is known around the place.

        It's a bloody red top, for goodness sake. Who wouldn't take them seriously? ... tut ...

  5. Doctor Syntax Silver badge

    Seems reasonable. If the NSA hadn't discovered it already it would have kept them from doing harm with it.

    1. Adam 1 Silver badge

      If I were Intel,I would have us as genuine concern that a disclosure to NSA would be followed the next day by a secret court order preventing disclosure and therefore nipping in the bud any chance of the microcode patches* to partially mitigate the attack vectors being widely deployed.

      That said, I don't want to over defend their behaviour because I don't know the timeframes. If it were my call, I'd spread the news far enough that the genie is out of the bottle and not going back, then as early as possible work with various TLAs in their defense remit (the part of their job that they always seem to forget).

      *Leaving aside the, er, quality assurance issues surrounding these patches

      1. tom dial Silver badge

        Is there evidence of the NSA being other than a mostly passive consumer, sometime hoarder, and rather active user of vulnerability information? I have not become aware of such, but follow such matters only fitfully and would be interested in a cite or two of such court orders.

        In intel's position, I would be more worried about US government leaks than about suppression of patch development, and probably more worried about the results of the class action lawsuits that have started the last few sweeks and will continue to grow for some time.

        1. Alister Silver badge

          @tom dial

          and would be interested in a cite or two of such court orders.

          I think you rather miss the point, these are "secret court orders" and as such, instances of them are unlikely to be available to cite.

          1. tom dial Silver badge

            Assuming the consequent usually is not considered a logical fallacy.

            It seemed to me reasonable to ask for actual evidence, or even suggestions of evidence, that the US government (probably the DoJ rather than the NSA or even the DHS) ever had taken such actions. I am not aware of any, but others might be.

  6. Anonymous Coward
    Anonymous Coward

    Possibly the NSA was well aware and Intel thought the NSA would spread the word OR the US of A is a mature market so favouring a massive growth market makes good fiscal cents/sense :P

    1. Pascal Monett Silver badge

      The only way the NSA is spreading anything is by getting hacked.

  7. mark l 2 Silver badge

    Since 2 different security teams discovered the bugs it seems very likely the NSA knew about it before the announcement, they probably had malware that took advantage of it but as with all the other flaws they discoverer they wouldn't have informed the vendors when they discovered it as they want to keep it for their own use as long as possible.

  8. Anonymous Coward
    Anonymous Coward

    So it looks like the NSA and like are not monitoring the right corners of society! Could this count as treason? Come on Trump take this mighty giant down!

  9. Anonymous Coward
    Anonymous Coward

    phraseology

    "It would have been nice to have been told about this" is very different to "it would have been nice to know about this".

    The idea that Google Zero knew about this and was coordinating with Intel about it and that NSA, Homeland, etc. didn't know is laughahahahable.

    For crying out loud, the CPU manufacturing company's name is Intel.

  10. Michael Hoffmann
    Meh

    Bread. Side. Buttered.

  11. Sgt_Oddball Silver badge
    Childcatcher

    they probably...

    Just assumed the US govt. Already knew. No point in telling them twice.

    I do wonder if we'll see some large govt. Pushback over this though or will it be swept under the rug in time like these things are want to do from the mainstream media?

    (Kiddie catcher because it turns out not everything fits under the rug)

  12. Anonymous Coward
    Anonymous Coward

    Bollocks I say.

  13. Destroy All Monsters Silver badge
    Windows

    The last 4 days ruined EVERYTHING! We HAD IT! I SWAEER!!

    Those memos remind me of the times I had to find plausible-sounding waffle sprinkled with technowords to cover "other motives" and various pants-around-ankles in order to explain that what happened was ENTIRELY OUT OF OUR HANDS.

    It worked, too.

  14. DontFeedTheTrolls Silver badge
    Big Brother

    Who's Watching the Watchers

    "It is a "near certainty" that Beijing was aware of information exchanged between Intel and its Chinese tech partners because local authorities routinely monitor all such communications"

    It is a "near certainty" that Washington was aware of information exchanged between Intel and its ... partners because local authorities routinely monitor

  15. Anonymous Coward
    Anonymous Coward

    Why?

    Between the story on here about the UK losing another privacy battle with campaigners and the various stories that have further showed us politicians both sides of the pond just don't care about you or your immediate data security, I have to say Good! They told the people who can fix the problems, the people who actually matter.

    We're told market forces are king, well this is market forces, telling the government doesn't do much about the problem and only invites them to take advantage, so why rush to tell them....it's not like they are your customers or anything.

  16. VikiAi Silver badge
    Happy

    To be fair

    They probably assumed the intelligence community already knew!

  17. An0n C0w4rd

    Huh?

    So hang on, they say "Standard and well-established practice on initial disclosure is to work with industry participants to develop solutions and deploy fixes ahead of publication.".

    Notice the word "all" missing. They were very selective with their notifications, with some OS vendors finding out around the same time El Reg did, while Mickeysoft and Linux had months of notice.

    "In this case, news of the exploit was reported ahead of the industry coalition's intended public disclosure date at which point Intel immediately engaged the US government and others."

    Right. Because giving people 4 days to write extremely complex changes to their VM systems is TOTALLY FINE.

    Responsible disclosure my posterior.

  18. Nimby
    Meh

    Security By Obscurity is SOP

    It was clear that select partners were working in secret to mitigate the problem for the majority of affected consumers before notifying world+dog (governments included) that the problem exists, alerting evil-doers the world over to these vulnerabilities. Should governments been notified about the secret mitigation efforts before world+dog? Ideally yes. Can you trust governments to be able to keep a secret when you hold no financial sword over their heads in the form of a penalty-laden NDA? And further when they do nothing about elected officials using insecure personal mail servers to handle top-secret information? Given that Intel was between a rock and a hard place, I can't really blame Intel for choosing to use obscurity as a security practice, even if I heavily disagree with it in general. It's standard operating procedure for tech companies to do things exactly as was done to mitigate vulnerabilities before public disclosure. Why would anyone expect this time to be any different than every other time?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019