Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Intel Security Hardware

Nope, No Intel Chip Recall After Spectre and Meltdown, CEO Says (cnet.com) 372

Hoping the Meltdown and Spectre security problems might mean Intel would be buying you a shiny new computer after a chip recall? Sorry, that's not on the cards. From a report: Intel famously paid hundreds of millions of dollars to recall its Pentium processors after the 1994 discovery of the "FDIV bug" that revealed rare but real calculation errors. But Intel CEO Brian Krzanich said the new problems are much more easily fixed -- and indeed are already well on their way to being fixed, at least in the case of Intel-powered PCs and servers. "This is very very different from FDIV," Krzanich said, criticizing media coverage of Meltdown and Spectre as overblown. "This is not an issue that is not fixable... we're seeing now the first iterations of patches." On Thursday, Intel said it was aiming to fix 90 percent of all Intel products that have been introduced within the past year by end of next week. CNET asked if the company was looking at older Intel processors? From the report: "We're working with [computer makers] to determine which ones to prioritize based on what they see as systems in the field," an executive at the company said. Intel also is fixing the problem in future chips, starting with products that will arrive later this year. Intel is effectively taking the software fixes being released now and building them directly into hardware, he said.
This discussion has been archived. No new comments can be posted.

Nope, No Intel Chip Recall After Spectre and Meltdown, CEO Says

Comments Filter:
  • by 110010001000 ( 697113 ) on Friday January 05, 2018 @09:54AM (#55868637) Homepage Journal
    Once the lawsuits come rolling in he won't have a choice. This isn't fixable. The best you can do is mitigate the damage. Good thing he sold all his stock before this went public.
    • by Megol ( 3135005 )

      As the AC correctly points out bugs are to be expected and are known to exist. Just read the amount of "will not fix" erratas published by Intel and realize that most erratas that will get fixed will be in later revisions (steppings) and not in currently available chips. The things that do get fixed in released systems are things microcode or feature control hardware can touch.

      This isn't unique to Intel of course.

      • This isn't a simple errata. This is HUGE flaw, a true game changer. It is a flaw that CANNOT BE FIXED, only mitigated to some extent.
    • Re: (Score:3, Interesting)

      by mysidia ( 191772 )

      Once the lawsuits come rolling in he won't have a choice. This isn't fixable. The best you can do is mitigate the damage.

      It turns out that these new methods of attack affect AMD x86 CPUs, and ARM non-x86 CPUs as well,
      so it's a multi-platform weakness that the only hardware safe against are essentially iPad and iPhone.

      Someone may TRY to sue Intel over this, but I suspect they will not be successful, since this
      isn't defective hardware per se, but hardware that doesn't resist a new kind o

      • by 110010001000 ( 697113 ) on Friday January 05, 2018 @10:39AM (#55868911) Homepage Journal
        WRONG. The Meltdown attack ONLY AFFECTS INTEL PROCESSORS. We need to keep this lie from spreading.
        • Re: (Score:2, Informative)

          by mysidia ( 191772 )

          WRONG. The Meltdown attack ONLY AFFECTS INTEL

          False; Non-Intel platforms are affected by the same form of problems. The security issue related to Processor Speculation has been Acknowledged by ARM [arm.com],
          and furthermore, even the Meltdown paper [meltdownattack.com] points out the same issues existing with at least several example attacks working reliably on the ARM and AMD platforms regarding out-of-order executions And instructions past illegal memory accesses.

          • by 110010001000 ( 697113 ) on Friday January 05, 2018 @10:54AM (#55869013) Homepage Journal
            WRONG. Repeating the lie doesn't make it true. MELTDOWN is INTEL ONLY. You are talking about a different issue. Please stop.
            • Citation please

              • by 110010001000 ( 697113 ) on Friday January 05, 2018 @11:38AM (#55869339) Homepage Journal
                FROM THE PEOPLE WHO ACTUALLY FOUND THE FLAW:

                https://spectreattack.com/ [spectreattack.com]

                Which systems are affected by Meltdown?
                Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors.

                Really, are you that ill-informed?
                • by Anonymous Coward on Friday January 05, 2018 @12:02PM (#55869569)

                  FROM THE PEOPLE WHO ACTUALLY FOUND THE FLAW:

                  The GP's "Citation please" was referring to the fact that "MELTDOWN is INTEL ONLY." AFAICT. Which it is. From Section 6.4 of the Meltdown paper:

                  We also tried to reproduce the Meltdown bug on several ARM and AMD CPUs. However, we did not manage to successfully leak kernel memory with the attack described in Section 5, neither on ARM nor on AMD.

                  In summary:
                  * Meltdown: Intel-only
                  * Specture: everyone

                • by mysidia ( 191772 ) on Friday January 05, 2018 @02:24PM (#55870651)

                  That is not contradictory information; it is just out of date. "Currently [as of the time the paper was written], we have only verified Meltdown on Intel processors.

                  The information cited does NOT support your claim that Meltdown is Intel Only; nor were the authors even claiming they believed Meltdown to be Intel-Only --- the authors showed information to indicate AMD/ARM would also be vulnerable, but they were primarily interested at the time in demonstrating the exploit on Intel processors and made minimal at best efforts to fully demonstrate and exposit the problem on ARM/AMD despite showing these affected.

                  Current security bulletins include more up-to-date information than the Authors' whitepaper.

                • Why quote some 3rd party FAQ rather than the original paper which is linked to in your citation?:

                  The reasons for this can be manifold. First of all, our implementation might simply be too slow and a more optimized version might succeed. For instance, a more shallow out-of-order execution pipeline could tip the race condition towards against the data leakage. Similarly, if the processor lacks certain features, e.g., no re-order buffer, our current implementation might not be able to leak data. However, for both ARM and AMD, the toy example as described in Section 3 works reliably, indicating that out-of-order execution generally occurs and instructions past illegal memory accesses are also performed.

            • by Ash-Fox ( 726320 )

              No, let him continue. I want to see where this goes.

            • by DanDD ( 1857066 ) on Friday January 05, 2018 @11:33AM (#55869297)

              mysidia said "Non-Intel platforms are affected by the same form of problems" (emphasis mine). This doesn't seem like a lie: Understanding Meltdown & Spectre: What To Know About New Exploits That Affect Virtually All CPUs [anandtech.com]

              I'm not a CPU architect, and perhaps you are, which would explain why you seem to take the differentiation of these bugs and exploits so seriously. Or perhaps you are paid by AMD or an ARM vendor.

              Or maybe it's that your statement: "the world revolves around me" [slashdot.org] suggests that there might be other issues behind your comments [wikipedia.org]

              • Meltdown is a much much bigger issue than Spectre is. Meltdown is an Intel only issue. I cannot make it more simpler. Please do some research before commenting. You don't need to be a CPU architect. The papers explain the problem very simply.
        • There are some specific (very high-end) ARMs that are vulnerable as well.
  • Same syndrome as VW (Score:4, Interesting)

    by Archtech ( 159117 ) on Friday January 05, 2018 @09:54AM (#55868645)

    The underlying pattern is exactly the same as the VW scandal. A manufacturer tries to deliver the promised performance, and in order to do so fakes out an emissions test (VW) or builds in a highly insecure procedure (Intel).

    At an even simpler level, it is just the battle between quality and quantity. VW and Intel cheated "a little" to provide the promised performance. We can expect a very great deal more of this.

    • by Archtech ( 159117 ) on Friday January 05, 2018 @09:59AM (#55868677)

      Intel will no doubt copy the big banks by claiming that it is "too big to fail". It would argue that it can't afford to replace all the defective chips, and so it shouldn't be forced to.

      The US government regards Intel as a huge asset - just like Microsoft, Oracle, IBM, Google, Facebook, Twitter, etc. - and will certainly take the company's side if it faces a serious threat to its existence.

    • True, but Intel is an American company so no big deal. It's only bad if the others do it. So don't expect anyone from Intel to be jailed like the VW guy. The only way is probably a class action lawsuit.
    • The underlying pattern is exactly the same as the VW scandal. A manufacturer tries to deliver the promised performance, and in order to do so fakes out an emissions test (VW) or builds in a highly insecure procedure (Intel).

      At an even simpler level, it is just the battle between quality and quantity. VW and Intel cheated "a little" to provide the promised performance. We can expect a very great deal more of this.

      This is not an Intel only problem; It's a fundamental design flaw (or oversight) that affects most modern processors. While Intel is taking the bulk of the blame on this, my take is this could very well be a catastrophe for smartphones, where each additional clock doesn't just affect performance. Losing a couple of hours a day of battery is pretty significant and quite possible.

      • by nagora ( 177841 )

        This is not an Intel only problem; It's a fundamental design flaw (or oversight) that affects most modern processors. While Intel is taking the bulk of the blame on this, my take is this could very well be a catastrophe for smartphones, where each additional clock doesn't just affect performance. Losing a couple of hours a day of battery is pretty significant and quite possible.

        There are two issues: Meltdown, which is easyish to exploit and affects all post-1995 Intel processors and 4, count 'em 4 Arm processors. Then there's Spectre which is hard to exploit and affects some other processors, but mostly Intel. Intel want everyone to believe that this means every vendor's in the same boat. They've done a very good job at this pretence but it is still a pretence. Or, "lie" if you prefer.

      • This is not an Intel only problem; It's a fundamental design flaw (or oversight) that affects most modern processors.

        Meltdown is the Intel-specific bug (it's different and can be patched, at a 70% performance hit.) Spectre is an architectural issue in all modern chips that can't be fixed without redesigning them from the ground up. Intel is taking the heat for Meltdown because it reeks of extraordinarily sloppy design and/or an attempt to cheat and have the best benchmarks by making an insecure chip. I'm sure to them it wasn't even that big of a deal, they know their chips are all backdoored with Intel ME, so what's on

    • by Megol ( 3135005 ) on Friday January 05, 2018 @10:13AM (#55868761)

      Bullshit. The suggestion is frankly completely bonkers - there are no similarities at all!

      What you are suggesting is that Intel willingly incorporated a security violating bug in order to gain some performance... How the hell would that work out?

      No don't respond as it's obvious you don't know enough to answer.

      • by Stormy Dragon ( 800799 ) on Friday January 05, 2018 @10:51AM (#55868989) Homepage

        What you are suggesting is that Intel willingly incorporated a security violating bug

        It found out about the bug in June and continued to sell defective processors for the last seven months.

        So yes, Intel willingly incorporated a security violating bug, for at least the last seven months.

        • I don't know that much about CPU design and fabrication but it's my understanding that the manufacturing process takes several months at least, so assuming they discovered the flaw in June and managed to *immediately* change the design to fix it, implementing those changes to the production line the very next day, it quite possibly could still have taken months for the revised designs to make it into the factory doors.

          But after you consider that coming up with a fix might itself take weeks at least, and imp

    • Wait, you're saying Intel did this knowing it was a security risk?

      I've not heard that allegation even from Intel's strongest critics. Where is the evidence for this?

    • The underlying pattern is exactly the same as the VW scandal. A manufacturer tries to deliver the promised performance, and in order to do so fakes out an emissions test (VW) or builds in a highly insecure procedure (Intel).

      At an even simpler level, it is just the battle between quality and quantity. VW and Intel cheated "a little" to provide the promised performance. We can expect a very great deal more of this.

      Wow. So basically your line of thinking is: "Company did something that turned out to be bad. Another company did something that turned out to be bad. Therefore conspiracy!!!!!!"

      Please use that grey matter between your ears to maybe read up on the VW scandal and this issue here before you look any more stupid than you already made yourself out to be with this post.

    • This was not Intel knowingly cutting corners. The amount of verification that goes into building a CPU is mind-boggling. There are dozens of layers of constrained-random verification, formal verification, electrical verification, performance verification. The techniques used are decades beyond the types of QA testing that most people on this forum are familiar with.

      This is just not an attack-vector that computer architects are used to reasoning about. For the most part, the security isolation story is bas
  • by Baron_Yam ( 643147 ) on Friday January 05, 2018 @09:55AM (#55868647)

    Seeing as replacing every Intel chip sold in the last decade would break the company overnight AND the problem can be patched (with an uncertain performance hit that may negligibly low in most scenarios, but could be ridiculously high in a few), I'm not in the least bit surprised by this.

    They're going to have to either kick it up a notch in the next product cycle OR find and release similar vulnerabilities in the competition's product lines or they're going to lose a bit of market share over this, though.

    I'd be shocked if they lost a huge portion of the market. There are a lot of PHBs out there who think Intel is the only option.

    • The fact is they could replace older chips a lot less expensively than people think. One reason if they use modern manufacturing to produce older chips the yield would be nearly 100%.

  • by Anonymous Coward on Friday January 05, 2018 @09:57AM (#55868649)

    It's not possible recall all the processors that ever existed. Society doesn't have the resources even to think about such a thing.

    Besides, computers run software, which is almost infinitely malleable; it can be crafted to mitigate the problems of hardware—as it has always done. So much of programming is about working around someone else's boneheaded mistakes.

    Now, that being said, this is actually a good reason to support FOSS. You cannot trust other people (especially large, flush corporations) to care enough about your particular situation to fix up the software so as to mitigate such problems. If only more software in the world were open to inspection, then at least people who really care could go about fixing things themselves, and the rest of you consumer nitwits could at least benefit from their hard work, too.

    We'll get there one day.

    • by AmiMoJo ( 196126 )

      I'd like to see an option to return my CPUs for a free fix. For some people the performance loss is significant.

      It won't happen because they don't make CPUs for those old sockets any more, and they aren't going to give me a free motherboard and RAM upgrade.

      • I'd like to see an option to return my CPUs for a free fix. For some people the performance loss is significant.

        It won't happen because they don't make CPUs for those old sockets any more, and they aren't going to give me a free motherboard and RAM upgrade.

        Are you claiming a real significant performance loss, and not a theoretical one? What workload are we referring to here? I think others would like to reproduce your results.

    • A recall doesn't have to be all-or-nothing. Intel could at least make an effort to replace the worse-affected situations.

      If they advertised a certain performance and their design flaw makes that performance not possible, it's legally breach of contract and/or false advertising. They don't automatically have a get-out-of-punishment card JUST because of the magnitude of the mistake. "It's too hard to uphold" is not a sufficient excuse. There is a continuum of resources and effort they can provide to replace b

    • It's not possible recall all the processors that ever existed. Society doesn't have the resources even to think about such a thing.

      Issuing a recall doesn't mean that you'll successfully buyback every item that was sold. There may not even be a buyback program. And how quickly you've forgotten that society has dealt with far larger recalls, even in just the last year, in fact.

      Take VW's emissions scandal, for instance, which affected over 11 million vehicles. They were forced to recall vehicles spanning nearly a decade after they advertised performance numbers that were only achievable thanks to their use of a "cheat mode" that cut neces

    • Right, because FOSS has never had 20 year old bugs/security flaws. You cannot just implicitly trust ANY software unless YOU validate it. The problem is that 99.999999% of the population has no idea how to analyze software for security flaws. You either have to inherently distrust everything and base your technology around the concepts of lack of trust (such as the devs of Qubes do) or you accept the risk.

      Having the source code doesn't make an application anymore trustworthy from a security standpoint,
    • It's not possible recall all the processors that ever existed. Society doesn't have the resources even to think about such a thing.

      A recall actually wouldn't be that expensive for Intel. Most CPUs and SoCs with the same die size [techreport.com] as Intel's CPUs sell for only around $20. The $100 to several $1000 Intel is able to command for their CPUs is due to marketing and them being top dog. The material cost of the Intel* CPUs themselves is only a tiny fraction of their retail price. (Which raises the possibility o

  • by rsilvergun ( 571051 ) on Friday January 05, 2018 @10:14AM (#55868765)
    A lot of users won't be impacted. My brothers pissed because this is going to tank performance in the IO heavy strategy games he plays and he bought his i7 specifically to play them. It's looks like enough to knock him down to high end i5 territory. That's about $75-$100 worth of performance gone in a puff of smoke....
    • i7 to i5 isn't really the right comparison. It's more like switching from a 7800rpm to a 5200rpm disk drive. I/O is going to be impacted. AI, physics, and graphics not at all.

      • by AmiMoJo ( 196126 )

        Cloud and VPS services are going to be hammered by this. It's a critical flaw for them and their systems do a massive amount of calling and switching in and out of the hypervisor and every running OS kernel.

        Imagine your service suddenly and permanently losses 30% of its capacity. Hundreds of millions of Euros of computing power wiped out. Your customers are pissed because their bills are going up as their apps suddenly need more CPU cycles...

      • when you put it like that it makes it sound like the problem is his hard drive, which it's not. A faster drive wouldn't fix the performance issues either (e.g. it wouldn't make the CPU turns faster).
    • For a gaming machine, it's not clear that you even need to accept the update. Although this defect is ugly, in order to exploit it, you have to get a malicious program onto the machine initially. For a single-user system, such malware probably doesn't gain anything extra from this. The real impact will be to shared server machines. I'm not saying that this isn't ugly. It's problematic for any system that needs to ensure confidentiality as the patch will have to be applied and the performance hit taken.
    • by thegarbz ( 1787294 ) on Friday January 05, 2018 @11:10AM (#55869125)

      My brothers pissed because this is going to tank performance in the IO heavy strategy games he plays and he bought his i7 specifically to play them.

      Where'd you get this from? So far the only benchmarks I've seen show sweet fa difference for any kind of gaming before and after the patches.

    • Perhaps it might incentivise him to get out the basement and go get some exercise instead.

  • by Opportunist ( 166417 ) on Friday January 05, 2018 @10:31AM (#55868861)

    Well, maybe in the veterinary sense, but I didn't plan to buy a castrated CPU.

    First, the problem is in the processor logic itself. We're talking about a design flaw that could only "really" be patched by re-etching the silicon. I highly doubt that he has found a way to rework the die. This isn't some BIOS feature we have to patch. Intel's promise now is that they found a way to manage the problem in microcode. And whether the microcode patch will do any good is still to be seen. Personally, my stance is "seeing is believing".

    Mostly because there is a second aspect: ALL, and I do mean ALL, possible approaches to fixing this can only be done with a drop in performance. There is no way this can be addressed without taking a performance hit. Especially high I/O applications like database processing is severely affected by the current patches, postgresql cited performance drops of up to 30%.

    Simply having the gall to state that this is no reason for a recall takes quite the chutzpah. I kinda wonder whether various high performance data centers will simply swallow this.

  • by MetricT ( 128876 ) on Friday January 05, 2018 @10:40AM (#55868915)

    The bug primarily affects large cloud vendors like Google, Facebook (who have entire buildings filled with lawyers) and HPC clusters (many of which have law *schools*).

    Without the patch, the computers are vulnerable, and large data centers *must* upgrade given the size and value of the target they are. However, the loss in performance may be substantial. I help manage a ~2000 server HPC cluster. If the patch causes us to lose 5% of our performance, that's like throwing 100 computers away. Which is completely and utterly unacceptable, and we as well as others have the resources to make that crystal clear to Intel.

    • I suspect HPC will take little or no performance hit. The hit comes on workloads that do LOTS of system calls. HPC does hardly any.

    • by houghi ( 78078 )

      Google already stated that the loss im performance was minimal. In fact they said negligible impact on performance followed by a YMMV. That means it is nowhere near the 5%. Remember that is is google who might have a bit more than 2000 servers worldwide.

      So first measure how much impact it is. Could be that the typing you did was more expensive than the loss in performance over a year, Or perhaps 5% is way to low for your situation and it is more at 50%.

  • by nagora ( 177841 ) on Friday January 05, 2018 @10:41AM (#55868927)
    that this is someone else's problem.

    Intel CEO Brian Krzanich said the new problems are much more easily fixed by other people who knew what they were doing. "After all," he continued, "do you want the idiots who did this to work on the fix? You're better off doing it yourself. I'll be at the beach if you need me."

  • What about kicking Intel out for AMD!

  • Time for AMD EPYC where are the 1P boards super micro?

    H11SSL-i / H11SSL-C / H11SSL-NC does someone have an link to a store where I CAN BUY them??

  • Someone make an amd ryzen board with ipmi! for systems that don't need an high end epyc system. Like xeon e3

  • If there is no need for a physical recall and a simple software patch does the job then that is the right thing to do. It is better for Intel, better for customers, better for vendors, better for the economy and better for the Earth. A physical recall has very high costs for each of these groups. Yes, some people might like a 'shiny new computer' out of the deal but that is just greed. Unfortunately there will likely be some lawyers who will try and get rich on this with a big lawsuit. Shakespeare them. ("F

    • There is no "simple software patch" that will "do the job". That is the point. But nice try at the "save the Earth" spin.
  • Question on Timing (Score:5, Interesting)

    by ytene ( 4376651 ) on Friday January 05, 2018 @11:37AM (#55869331)
    A lot of people are commenting on the fact that Intel's CEO sold the maximum permissible amount of company stock [or options - it isn't clear which] *after* Intel were notified of the bug and *before* this was made public.

    But I'm interested in this for a slightly different reason. In mid-December 2017 I purchased a new computer system. I had been saving up for it for a very considerable period of time... It is based around the Core i7-7700T processor, which I now understand to be one which will be impacted and likely to "slow down" as the patches for Windows and Linux are deployed.

    But Intel knew that the chip that I would be buying was materially defective. Whilst I accept that they have taken steps to apply corrective software fixes, that doesn't detract from the fact that I could have chosen to defer my purchase until a "clean" chip was released. Here we have the CEO saying "no recall", yet how are Intel's actions any different from i.e. the Ford Motor Company / Firestone Tire issue?

    Are Intel claiming that they have no legal obligation to sell working product? Or to take appropriate steps to notify customers in a timely manner? If they knew about this in October, has it *really* taken this long to get patches ready and come clean? And what about all the product already in the supply chain?

    I would be *very* interested to see any data from Intel's distributors or channel suppliers to get a better handle on shipment volumes in the time slot in question. Very interested to know if Intel made a push to "get rid" of known bad stock. Very interested to know what the lead time is for good silicon.

    Anyone got any real-world experience of these scenarios?
    • "But Intel knew that the chip that I would be buying was materially defective. Whilst I accept that they have taken steps to apply corrective software fixes, that doesn't detract from the fact that I could have chosen to defer my purchase until a "clean" chip was released. Here we have the CEO saying "no recall", yet how are Intel's actions any different from i.e. the Ford Motor Company / Firestone Tire issue?"

      You nailed the issue. In addition, Intel is STILL SELLING their defective product. Intel did the
    • Anyone got any real-world experience of these scenarios?

      I invite you to look at a history of erratas from any CPU (or silicon in general) manufacturer. It is literally situation normal to sell devices with known defects that need to be worked around, and it has been since the 80s.

      The problem with your "defer" option is that you're unlikely to defer when there's no end in sight.

If you think nobody cares if you're alive, try missing a couple of car payments. -- Earl Wilson

Working...