Are you suggesting that we recall the great bulk of modern CPU's? Like, literally gut everyone's computers, including those in data centers and running critical infrastructure, until replacements are eventually manufactured?
Why would you need a proof of purchase? Intel can verify that it's its own unpatched chip out in the wild being returned for a recall. It doesn't matter if it's the original owner or a woman 15 owners down the line, it's still a loose security flaw out in the wild; who knows where or who whose network it will wind up. I don't need a proof of purchase when I bring my Ford in for its 10 recalls a year. I don't even need to care about which dealer I bring it into. It has to be fixed. They look at the VIN and if it's not marked as fixed they fix it.
Is there a market of 99%+ seemingly authentic fake Intel chips out there?
I think this is pretty weird thing to talk about, because it's kinda pointless. Do I think Intel ought to refund us somehow? Hell yeah I do, especially given the fact that I have bought a laptop with Intel processor recently and why even bother buying products with a warranty if any fatal design flows don't qualify as refundable anyway? Do I believe Intel will refund or replace something? Of course not, it's hardly even realistic. Even if they wanted to (which they surely don't) what kind of loan do they have to get to afford even a partial refund of every single Intel CPU out there?
Boxed Intel processors carry a 3 year warranty. It certainly seems reasonable for everyone who bought a CPU within the last 3 years to expect a warranty replacement with the manufacturer defect fixed.
In the EU virtually every product comes with a 2 year warranty. So every CPU sold in the EU in the last two years should be replaced for free by Intel, even through OEMs.
I wonder what potential class action lawsuits Intel might be facing.
Any sufficiently complex CPU surely contains some number of defects, perhaps even serious security defects, just as any sufficiently complex piece of software contains bugs and security holes. I wouldn't be surprised if someone tries to sue Intel over this, or even if they win, but this is way outside the scope of what a warranty would traditionally cover, which in the case of a CPU would be hardware failure. If a warranty had to cover every possible defect, a bunch of people would be constantly trying to get free CPUs out of Intel every time they updated their errata:
Note that the cost of overly onerous regulation (e.g. requiring that every computer manufacturer replace these chips even though the problems can largely be worked around in software) is of course passed onto consumers.
> but this is way outside the scope of what a warranty would traditionally cover
The warranty and any other legalese from intel is irrelevant here, this is about consumer protection laws of various countries that supersede an intel warranty. A serious post sale drop in performance would be enough for a refund on any computer purchased in many countries. In Australia if I bought a computer 6 months ago I'd be entitled to take it back to the store for a refund, then it's up to them to argue with dell and dell to argue with intel.
> Note that the cost of overly onerous regulation (e.g. requiring that every computer manufacturer replace these chips even though the problems can largely be worked around in software) is of course passed onto consumers.
Demanding that a product works and in lieu of that offering a replacement or refund is not overly onerous regulation, it's a very basic standard protection.
I’m not convinced that a software update slowing down your phone or computer a few percent while performing certain operations should automatically qualify you for a refund. It’s widely understood that keeping your computer secure requires installing software updates, and it’s even more widely understood that installing updates often slows down your computer. If that’s going to be your bar, I think an iPhone would have to sell for about $25,000 so Apple could afford to give you a replacement every year for the rest of your life.
Of course the cost of producing products that actually perform at the level they're advertised to perform is passed onto the consumer, regardless of regulation.
I guess it depends if everyone agrees on whether or not the product performs "as advertised" as not. If you have a defect that affects e.g. 1% of your users, but the government forces you to compensate 100% of your customers, that seems like an unnecessary cost.
For something like Meltdown/Spectre, the patches/workarounds reportedly barely affect some workloads, but cause drastic slowdowns for others. So already not everyone's affected to the same extent. Then you have computers with easily replaceable CPUs vs. stuff like phones and laptops which probably were only designed to work with a single CPU, and the manufacturer's already working on their next model and doesn't want to waste money building replacement parts for the previous one. At that point, maybe you have a complaint with e.g. Apple for selling you an iPhone that doesn't work as performed because they had to work around a security problem, and Apple might themselves go after Intel. The whole situation is a lot more complicated than "it should totally be covered under the warranty."
> Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed.
> […]
> Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect.
Doesn't this affect all of their CPUs going a long way back? And how do you recall embedded or laptop CPUs, which are often soldered in-place?
A recall would be great, but there's no way they'd be able to do it. Vehicle recalls are a bit different because they impact physical safety. Digital safety doesn't get the same priority.
I don't think they would be able to produce all necessary CPUs. Replacing all current stock would create a huge problem. Replacing all sold cpus from the last two years would be a huge problem, even if (and I don't know how complicated or not it is) it would be quite simple to redesign all these chips, how long would it take to do that?
Then imagine all chips from 1995 to 2015, having to make them again, they don't have the machines anymore.
Also vehicle recalls are usually done by fixing stuff next time the vehicle comes in for regularly scheduled service. How often does your computer get those?
Dealers make almost zero margin on car sales(aside from used and trade-in shenanigans). The majority of their margin comes from services so they'll happily gouge you on them.
How about they go into bankruptcy with most of the world’s computer users as their creditors? Maybe not, but it’s terrifying that you can avoid responsibility by fucking up on a larger scale than most.
even if it affects all speculative CPUs, if this happened in the car world, all the cars would be recalled. Not saying that is practical in computer world...just continuing with the analogy.
Spectre/Meltdown is a wakeup call for many things, one of them probably being for computer manufacturers to not solder the CPU to the Motherboard and for the x86 world to stick with a standard socket, to facilitate replacing parts.
> "Spectre/Meltdown is a wakeup call for many things, one of them probably being for computer manufacturers to not solder the CPU to the Motherboard"
Good luck with that. A large portion of affected CPUs/SoCs are in mobile devices and ultrabooks. Socketed chips simply won't fly in those kinds of devices.
Then the whole device should be replaced, that's the price they pay for their design decisions. Being "too hard" doesn't absolve you of your responsibility to consumers.
Alternatively, even if the boards + CPU are tightly integrated, if used a particular standard like EOMA-68, then they could be easily replaced with rest of desktop/laptop/phone not being affected.
That was a reference to me? If so -- I'm flattered. I haven't yet asked Intel to soak a written apology with their tears, but it's an excellent idea! (I have, however, given them many other candid thoughts on how they can improve their handling of Spectre and Meltdown -- but so far, to no avail.)
Most vehicle recalls are not of the form: return your vehicle, we give you a new fixed one; but rather: bring your vehicle to one of our dealers and they'll perform some action to repair the defect.
The later is pretty analogous to issuing firmware and OS patches to mitigate the flaw.
What if the fix to the car reduced your MPG by 30% to address a safety issue? This seems somewhat analogous to the number being bandied about as the CPU performance decrease. (Depends on workload, etc, etc.) I think most car owners would expect some kind of compensation for a product that no longer has the same efficiency as when they bought it.
This issue is similar to what happened with the Volkswagen emission cheat. After they fix the ECU to have the advertised NOx emissions, the car lost peak power and fuel efficiency.
They will often refuse to do a recall even if personal safety is at risk. The real quantifier is how much financial damage the auto company will endure in the event they do or do not do a recall
> They will often refuse to do a recall even if personal safety is at risk.
Ford Pinto, anyone...
Another one that many people don't know about is a problem with old 2-door Tahoes; a bracket on the driver's side seat likes to fail upon quick acceleration - such as when getting on the freeway, for instance.
One minute you're upright, pushing the pedal to get up to speed, the next - whoops! - flat on your back! If you're lucky, you live to tell the tale...
AFAIK, GM never issued a recall about that one (it caused me to pass on a really nice lifted 4wd Tahoe a few years back)...
Eh, sometimes they do for the sake of brand preservation. If personal safety is at risk they will do a recall, either voluntary or mandated by the NHTSA.
And replace them with what? They don't have any current processor that doesn't have the same bugs. It will be years before they design and make one. The best we can do is some class action and get a refund, but not too much or they'll go broke and close.
Which doesn't have Meltdown but still has Spectre. Furthermore you have to replace at least the whole motherboard on a desktop or probably all of your laptop except the discs and maybe the RAM.
I didn't realize that when I made the comment, and I agree my suggestion falls flat now that I know.
> You have to replace at least the whole motherboard on a desktop or probably all of your laptop except the discs and maybe the RAM.
I'm ok with putting that responsibility on Intel to remedy the situation, even if it deeply hurt them financially or put them out of business. If you sell a faulty product that doesn't live up to its description, yes you risk actually going out of business. But with the fact that AMD has Spectre this idea of replacement no longer makes much sense and your original idea of a partial refund makes the most sense.
The problem is this nearly every single processor Intel shipped for a decade so Intel doesn't have the cash flow to RMA that many replacements. They're going to fight tooth and nail to avoid this.
In reality they could probably argue standard depreciation on a product and offer the remaining value as a discount towards a working product... only there currently aren't any equivalent products on the market. AMD's CPUs are still affected by lower profile variants of this, but aren't as /horridly/ broken.
In reality they could probably argue standard
depreciation on a product and offer the remaining
value as a discount towards a working product...
This could work for older models, but their flagship $15,000+ each (in bulk trays) are also affected. So its hard to argue depreciation on <2 month old silicon.
I can't imagine a court doing anything. The cost to intel is simply to high, and its not like they were negligent given that ARM/POWER/etc are all vulnerable to some extent too.
This whole thing is the equivalent of discovering that if someone throws enough nails on the road your car will blow a tire, spin out of control and kill you. With the kneejerk reaction of trying to fill everyone's tires with concrete to avoid the tires blowing out rather than trying to figure out how to keep people from throwing nails on the road (with the idea that spiteful users are more likely on toll roads) in the first place.
I agree with you that the courts probably won't do much, but you should not group all the CPU manufacturers together. Meltdown mainly (only?) affects Intel. It's spectre that affects basically everyone.
Actually, it is more like that someone can throw a rock through a car window and then compromise the car door lock. Or, probably more accurately, that a hitchhiker can knock you out of the car, and drive off with it.
Spectre/Meltdown ONLY is an issue if you run some untrusted code on your system. If you avoid this, there is not problem. Yes, we like to be able to run untrusted code (such as in a web browser / javascript), but that is not the fault of a car manufacturer that you like to pick up hitchhikers.
I'm with you on the untrusted code bit, which is why I think unmapping the kernel should be restricted to untrusted processes. Then it only applies to your browser, the KVM/qemu instances or whatever runs untrusted code.
Yup, this will hit the EC2/etc users hard, but those people have already IMHO given up on absolute performance by putting themselves in shared environments where bad neighbor syndrome can already hit their perf pretty badly.
But for whatever reason (probably because its easier) the current plan just seems to be to use the big hammer.
The big hammer is the pragmatic approach for the short term. Everyone and their dog wants to claw back the lost performance, we're only week past the big reveal.
Your idea of black/white listing processes might bubble up as a solution in some scenarios. Perhaps it could be pledge-like; if you're savvy enough, try implementing it, or fleshing out the details.
That might just create yet more problems. You can't just plug a new CPU into your motherboard--it has to match the socket, chipset, memory, installed OS, etc.
Well if they didn't change the socket every year...
Realistically though, they might be able to do it for cpu's that aren't soldered on (think just about every laptop) made in the last year or two, but would they really fab new versions of 10 year old cores? Its not like many of those lines are even running anymore, so they would basically have to redesign/layout and reverify everything.
Probably easier/cheaper just to send everyone a new machine.
Or give a price break on future hardware. The fix is turning out to be incredibly expensive for ordinary users, virtualization vendors, hardware vendors, OS providers, cloud providers, etc.
This incident demonstrates why you really don't want catastrophic bugs in the CPU. The fact that the hardware vendors missed this one makes you wonder what else is out there.
What if that computer is running something critical, say a reactor, and elevator or some device in a hospital? Computers are everywhere these days... Todays proof-of-concept becomes tommorow's metasploit module - and could cause large damage even in incompetent people's hands.
Or did you mean something else?