Hacker News new | ask | show | jobs
by sillysaurus3 3086 days ago
Hopefully not. Lawsuits are a fine way to stifle innovation. Imagine how hard it would be to push through any idea at Intel.

No one saw this coming. Things happen. It's impossible to predict every contingency.

They acted in good faith.

Also, heh, users are funny: "all other games i have work fin by the way so there must be a problem whit fortnite."
7 comments
rdtsc 3086 days ago
> Things happen. It's impossible to predict every contingency.

Normally I'd agree but not in this case. Notice that besides latest ARM it seems no other architecture is susceptible to Meltdown - s390x, SPARC, POWER, AMD etc.

Speculatively loading and executing code across protection boundary is something someone should have thought twice about. Doesn't mean other vendors knew or had PoC examples, but they could have had an instinctive hunch.

I've given this example before, say I have some sensitive data on a server. I could install a bunch of services and API endpoints on it, to access it faster, inspect it, extract it various formats etc. Or I could decide to lock it down and just install only the minimum number of needed things, locked everything down. Doesn't mean I knew all those additional APIs or services had vulnerabilities, but it's just a good practice.

If the server gets hacked and someone looks back, I think they would be justified asking "What the hell were you thinking installing all that crap you didn't need on it".

link
amaranth 3085 days ago
According to their patch notes Apple's ARM cores are also vulnerable. And it's not just the latest ARM, the A15, A57, and A72 are vulnerable to a less severe variant of Meltdown.
link
dk1138 3086 days ago
If you bought a car that needed to go 60mph and a subsequent update to the car from the manufacturer for safety meant it could only go 30mph, there would be legal consequences.

Of course you can't predict every contingency, but some of them you pay for.

link
jimmaswell 3086 days ago
Did Intel ever specifically 100% promise a certain performance in their advertising? Do they have contracts having such promises in them with vendors?
link
AFNobody 3086 days ago
> Did Intel ever specifically 100% promise a certain performance in their advertising?

Yes.

They showcased benchmarks and paid people to benchmark/review their product along similar lines.

https://ark.intel.com/products/96900/Intel-Xeon-Processor-E7...

etc.

link
Retric 3086 days ago
I have seen Intel post benchmarks that are no longer correct. So, yes.
link
serf 3086 days ago
>They acted in good faith.

That's new for a company, and it's not indicated by their PR spin right now.

What I think happened : a company produced a product with a problem. Probably not out of malice, but ignorance.

One of two things happened after, which can kill the 'good faith' argument ; the problem was found internally and hushed, or the problem was found externally and minimized to reduce financial burden arising from fixing the problem and the PR related.

We have no way of knowing how well it was known about internally, but we can all see the PR going on from Intel right now, and I hope i'm not the only one who reads into those press releases to establish intent.

link
djsumdog 3086 days ago
Well this type of attack has been theoretical for years. The Project Zero referenced some papers from the mid-2000s that talked about it. But the implementation, even today, isn't exactly trivial.

Modern processors are insanely complex systems. Branch prediction, out of order execution, hardware virtual memory management, hardware virtualization, etc. Not to mention that these are side-channel attacks. It's not a direct vulnerability, it requires executing some code and measuring timing very precisely; similar to and oscilloscope and a very expensive safe.

Of course Intel is going to be spinning this however they can for damage control. That's what PR departments do. I still doubt engineers at Intel really thought this attack was plausible, or else they wouldn't have been engineering chips this way for the past decade.

link
wyager 3086 days ago
> Modern processors are insanely complex systems.

And until we align their market incentives properly, silicon vendors are going to continue to ignore this fact when it comes to verification. Intel is especially bad here; they’ve had an unreasonable number of hardware bugs in recent years.

link
krylon 3085 days ago
> The Project Zero referenced some papers from the mid-2000s that talked about it.

http://www.daemonology.net/papers/htt.pdf

link
snuxoll 3085 days ago
Intel got a report about this vulnerability from Google in July. Intel's CEO decided to sell stock in November, scheduling the sale in October. Intel also decided to pull the Coffee Lake desktop launch in from early 2018 all the way back to the start of Q4 2017 to try stop the momentum AMD was building with Ryzen, while knowing this vulnerability was present - they're still planning on launching Cascade Lake the first half of this year and god knows if meltdown will be fixed in it or not.

Right now, I think the problem started out of ignorance - but they have abused Google's policy of responsible disclosure to hide the flaw as long as they could and take advantage of their market position while the unknowing public kept buying their products. Now they are pulling the four D's of propaganda in their PR statements all while we are seeing huge performance deltas in graphs from Epic and more?

This is straight up deceptive, I'm glad I switched back to AMD with my new gaming rig and I already have plans in the works to purchase multiple EPYC servers with our datacenter move starting next month.

link
dpedu 3086 days ago
> Lawsuits are a fine way to stifle innovation.

I'm not sure about this. At any large company like Intel, the cost of potential - even predicted - lawsuits are already factored into their budgets.

link
forgotpw2018 3086 days ago
I know almost nothing about law but I would assume a large company would be insured against contingencies like this.

I remember reading something about how rich people can get 'everything else's insurance that's basically applicable to anything bad that could happen to them. Maybe its the same with companies?

link
QAPereo 3085 days ago
You can insure almost anything, assuming you’re willing to pay the premium, and that the insurers are satisfied with their due diligence. BUT... that insurance company will look for any technicality, any little way that you failed the extensive duty to protect your insured assets, and try not to pay out.

So really, in this case insurance is just another word for “more lawyers to drag through the courts for people years, with uncertain results.”

link
krylon 3085 days ago
> They acted in good faith.

They were aware of the problem for a couple of years: https://twitter.com/TheSimha/status/949361495468642304

link
AFNobody 3086 days ago
> They acted in good faith.

The PR spin and misdirection games isn't in good faith which completely demolishes this line of defense.

link
QAPereo 3086 days ago
If no one saw it coming, why is it all over papers which suddenly appeared in the last few days here? It seems that in the world of high assurance security, this was largely assumed, but not provable due to propriety walls.
link