Intel Didn’t Disclose Spectre, Meltdown to US Government Until News Went Public

Intel Didn’t Disclose Spectre, Meltdown to US Government Until News Went Public

Intel is under fire for failing to disclose Spectre and Meltdown to the US government after it heard about the attacks in June. A month ago, we reported that some governmental agencies like the NSA hadn’t been informed of the exploits. It now appears that no government agency was informed about the exploits, period, until the news went public.

Current and former U.S. government officials said the government was not informed of the flaws before they became public because the flaws potentially held national security implications, Reuters reports. Intel said it did not think the flaws needed to be shared with US authorities, as “hackers had not exploited the vulnerabilities.” This information is drawn from the letters Intel, AMD, and ARM sent to Greg Walden (R-OR), who chairs the House Energy and Commerce Committee.

This is a laughable excuse. First of all, Intel is not automatically in a position to know if exploits have been used or not. White hats monitor these sorts of problems closely, but mass-produced malware isn’t the only kind of exploit that exists in the universe. If an intelligence agency discovered and deployed targeted software packages to capture data from certain individuals, we’d never know about it. Heck, that’s why some of Snowden’s disclosures surprised people. Folks had suspected that some of this activity occurred, but hadn’t put all the pieces together yet.

The second reason this excuse beggars belief is that Intel didn’t apply it consistently. Here’s Reuters again: “Intel said that it did inform other technology companies that use its chips of the issue, according to its letter.” So it was important enough to tell customers, including some Chinese customers, that its CPUs had critical problems, but not important enough to tell the government which actually depends on Intel CPUs to hold top-secret information and data repositories.

Intel Didn’t Disclose Spectre, Meltdown to US Government Until News Went Public

Google first found the flaws as part of Project Zero and informed Intel, AMD, and ARM of their findings. It gave them the standard 90 days to fix the problem, only to extend that deadline to January 3 and then to January 9. This explains, I suspect, why Intel was able to supposedly include hardware mitigations for its upcoming Cannon Lake processors — it had the lead time necessary to do so. Alphabet left it up to the chip company’s themselves as to whether they’d inform the government.

The reason Intel’s decision to withhold this information rankles is because of the incredibly unequal standard it applied to disclosure. If Intel did disclose these flaws to Chinese customers, we can assume the Chinese government likely found out about them, given the degree of data surveillance that country practices.

That’s not a good look for Intel, and the CEO’s decision to sell the maximum allowance of stock he was allowed to sell before the news dropped doesn’t exactly make him look great, either. Given how long it’s taken Intel to develop patches and how fraught development has been, I can understand not admitting the flaw publicly until you have fixes ready to go. That’s common sense. But not informing government agencies under a confidentiality agreement is something altogether different. As a result, some of the customers most likely to be targeted by exploits for Meltdown and Spectre were the last to be notified the problem existed.

Continue reading

Intel Launches AMD Radeon-Powered CPUs
Intel Launches AMD Radeon-Powered CPUs

Intel's new Radeon+Kaby Lake hybrid CPUs are headed for store shelves. Here's how the SKUs break down and what you need to know.

NASA’s OSIRIS-REx Asteroid Sample Is Leaking into Space
NASA’s OSIRIS-REx Asteroid Sample Is Leaking into Space

NASA reports the probe grabbed so much regolith from the asteroid that it's leaking out of the collector. The team is now working to determine how best to keep the precious cargo from escaping.

Intel’s Raja Koduri to Present at Samsung Foundry’s Upcoming Conference
Intel’s Raja Koduri to Present at Samsung Foundry’s Upcoming Conference

Intel's Raja Koduri will speak at a Samsung foundry event this week — and that's not something that would happen if Intel didn't have something to say.

Review: The Oculus Quest 2 Could Be the Tipping Point for VR Mass Adoption
Review: The Oculus Quest 2 Could Be the Tipping Point for VR Mass Adoption

The Oculus Quest 2 is now available, and it's an improvement over the original in every way that matters. And yet, it's $100 less expensive than the last release. Having spent some time with the Quest 2, I believe we might look back on it as the headset that finally made VR accessible to mainstream consumers.