Intel Didn’t Disclose Spectre, Meltdown to US Government Until News Went Public

Intel Didn’t Disclose Spectre, Meltdown to US Government Until News Went Public

Intel is under fire for failing to disclose Spectre and Meltdown to the US government after it heard about the attacks in June. A month ago, we reported that some governmental agencies like the NSA hadn’t been informed of the exploits. It now appears that no government agency was informed about the exploits, period, until the news went public.

Current and former U.S. government officials said the government was not informed of the flaws before they became public because the flaws potentially held national security implications, Reuters reports. Intel said it did not think the flaws needed to be shared with US authorities, as “hackers had not exploited the vulnerabilities.” This information is drawn from the letters Intel, AMD, and ARM sent to Greg Walden (R-OR), who chairs the House Energy and Commerce Committee.

This is a laughable excuse. First of all, Intel is not automatically in a position to know if exploits have been used or not. White hats monitor these sorts of problems closely, but mass-produced malware isn’t the only kind of exploit that exists in the universe. If an intelligence agency discovered and deployed targeted software packages to capture data from certain individuals, we’d never know about it. Heck, that’s why some of Snowden’s disclosures surprised people. Folks had suspected that some of this activity occurred, but hadn’t put all the pieces together yet.

The second reason this excuse beggars belief is that Intel didn’t apply it consistently. Here’s Reuters again: “Intel said that it did inform other technology companies that use its chips of the issue, according to its letter.” So it was important enough to tell customers, including some Chinese customers, that its CPUs had critical problems, but not important enough to tell the government which actually depends on Intel CPUs to hold top-secret information and data repositories.

Intel Didn’t Disclose Spectre, Meltdown to US Government Until News Went Public

Google first found the flaws as part of Project Zero and informed Intel, AMD, and ARM of their findings. It gave them the standard 90 days to fix the problem, only to extend that deadline to January 3 and then to January 9. This explains, I suspect, why Intel was able to supposedly include hardware mitigations for its upcoming Cannon Lake processors — it had the lead time necessary to do so. Alphabet left it up to the chip company’s themselves as to whether they’d inform the government.

The reason Intel’s decision to withhold this information rankles is because of the incredibly unequal standard it applied to disclosure. If Intel did disclose these flaws to Chinese customers, we can assume the Chinese government likely found out about them, given the degree of data surveillance that country practices.

That’s not a good look for Intel, and the CEO’s decision to sell the maximum allowance of stock he was allowed to sell before the news dropped doesn’t exactly make him look great, either. Given how long it’s taken Intel to develop patches and how fraught development has been, I can understand not admitting the flaw publicly until you have fixes ready to go. That’s common sense. But not informing government agencies under a confidentiality agreement is something altogether different. As a result, some of the customers most likely to be targeted by exploits for Meltdown and Spectre were the last to be notified the problem existed.

Continue reading

5 Extreme Car Features You Didn’t Know Existed (or What They Cost)
5 Extreme Car Features You Didn’t Know Existed (or What They Cost)

Go beyond the ordinary with an EV charger that's a piece of sculpture, a Breitling clock for the dash, or a sliding cargo floor for your SUV. Spend it while you've got it.

No, Google Didn’t Just Sneak DRM Into All Android Apps
No, Google Didn’t Just Sneak DRM Into All Android Apps

There's a story floating around the web today that Google has just gotten around to adding some sort of heavy-handed DRM to all Android apps, but this is based largely on speculation and incorrect assumptions.

Apple Didn’t Delete Movies From Customer’s iTunes Account
Apple Didn’t Delete Movies From Customer’s iTunes Account

The customer we talked about last week didn't lose access to previously purchased iTunes content because Apple yanked his access. Region lockouts are likely to blame.

Capitalism Didn’t Bring Democracy to China, but It’s Yokin
Capitalism Didn’t Bring Democracy to China, but It’s Yokin

Opening world markets to China back in 2001 hasn't done much for the country's commitments to democracy, but recent events with Blizzard and the NBA have shown it's turning out wonderfully for Chinese censors who want to control the media and content produced in the United States and elsewhere.