Intel Is Stockpiling Legacy Technology For Security Research

James Rundle writes via the Wall Street Journal: A few years ago, executives at Intel began to realize they had a problem. The company was making dozens of new products each year, from chips to software platforms, but it didn't have a formal method for cataloging and storing older technology so engineers could test it for security flaws. [...] Intel's answer to this conundrum was to create a warehouse and laboratory in Costa Rica, where the company already had a research-and-development lab, to store the breadth of its technology and make the devices available for remote testing. After planning began in mid-2018, the Long-Term Retention Lab was up and running in the second half of 2019. The lab gives Intel, which is based in Santa Clara, Calif., and has more than 100,000 employees, a centralized, secure location where security tests can be run from anywhere in the world. Access to the building is strictly controlled and approved by senior managers, while surveillance cameras watch the equipment at all times. Even its location is secret -- Intel representatives declined to say where exactly it is.

The lab brings commercial value to Intel, [said Mohsen Fazlian, general manager of Intel's product assurance and security unit.], citing company research that shows customers are more likely to buy technology from manufacturers that proactively test their products. [...] The lab has changed Intel's product development. All new technology is now built with the facility in mind, with technical documentation created to allow engineers to support it for up to 10 years, and units are sent to the lab before they are released, Mr. Fazlian said. "Hopefully, I will never find myself searching eBay for Intel hardware again," he said.

I thought it's already obvious to anyone

[Pierre Pants]

that they're stockpiling legacy technology. The majority of their CPUs are still 14nm.

Re:

[omnichad]

I think they'll stay fairly cool-headed.

Re:

[dddux]

Seeing how much watts these new ones consume, I kinda doubt it. ;) Depends on how high is "fairly cool".

Re:

[NateFromMich]

That is not funny.

Really? I laughed at it. Maybe you should lighten up.

Hopefully they have a backup

[davidwr]

One volcano/earthquake/hurricane/asteroid/nuke in the wrong place could wipe this out.

Let's hope they have spare parts somewhere else so they could re-build this if it gets knocked out.

Re:

[Luckyo]

If they get smacked with a nuke in Costa Rica, "it security" is going to be very low on anyone's priority list. Somewhere around "having a correct type of anal dildo to pleasure my pet duck during nuclear winter" level of priority.

Re:

[The123king]

Seems accurate though.

Technically wrong

[DrYak]

Seems accurate though.

Though technically wrong.

(Turning the "bio scientist nerd nit-picking" dial to 11...)

having a correct type of anal dildo to pleasure my pet duck during nuclear winter

...except that birds don't have a separate anus. They have a single hole (cloaca), So "cloacal dildo" would have been more correct.
(Though unlike most other birds, male ducks do have a phallus).
(And try to not think too much about coerced reproduction in ducks).

Re:

[Luckyo]

Funny part is is the exact reason why I made the point about anal dildo. Anal openings tend to be very poorly suited for penetrative entry in most species, which is why ducks have that weirdly shaped, very soft penis and their reproductive organs separate from cloaca quite early. And if you ever looked at that specific piece of anatomy, that would actually be rather difficult to hit without that very specifically shaped object. Because it's the intestinal pathway that goes straight from the opening in the d

My back room is the backup

[raymorris]

When I read a bunch of old technology for security testing, yo me that sounds like my back room. Heck, I still have a variety of SCSI cables and adapters; Intel is saying "up to ten years".

One post on Slashdot will find you anything Intel has made in the last ten years (or 30).

Re:

[The123king]

I do! Would go nicely with my PDP-11's

./ is using an Intel logo more than a year old.

[Glasswire]

That is all.

Re:

[davidwr]

How appropriate.

what about MB and other parts needed to run

[Joe_Dragon]

what about MB and other parts needed to run that hardware?

Intel has boards to run CPUs on

[drnb]

Intel used to make consumer motherboards. I believed they continued to make some motherboards for corporate customers. At a minimum they would have development boards used for testing CPUs during development. You can think of these boards as something akin to an Arduino, or the development boards of microcontrollers for embedded environments. Intel may also offer reference PC motherboard designs.

In short Intel probably has all the technology and expertise necessary for something to run the CPU on. Maybe

Re:

[The123king]

I don't think Intel would be running Windows in this application anyway. It's more likely to be Linux or another *NIX-like

Re:

[drnb]

Yeah, I expect FreeRTOS, Embedded Linux and Desktop/Server Linux would be up and running before Windows. More so Desktop Linux if they also want to test the integrated GPUs. FreeRTOS would probably be fine for testing ethernet, USB, etc.

Then again we are talking about going from one Intel CPU to another so the cost is really that of an incremental port. The previous version of the software probably already runs on the hardware, or is very close to doing so, so the real effort is to test something new or

Oxymoron?

[AJWM]

Somehow, "a centralized, secure location" and "where security tests can be run from anywhere in the world" don't exactly strike me as phrases that belong in the same sentence when it comes to IT.

As long as you MAINTAIN the VPN/jumpbox, no secret

[raymorris]

I'm a picky security professional. While certainly the design would require attention to security, I think it's perfectly doable. There are two main points I'd watch out for.

The one and only internet-accessible device would be a hardened VPN endpoint and minimal jumpbox. That's the part that has to be secure. Which means that system has to be maintained, getting security patches and VPN config updates as needed.

Spanned with the inside interface of the VPN would be an IDS recording and analyzing all traffic

Re:

[evil_aaronm]

I like this, but what if the bad guys implant a BIOS-altering bug on the "no value" machine? Sure, they still won't get anything worthwhile, but you could never really trust that machine, right? If you even knew it was "bugged." Is there a mitigation strategy for that?

Re: As long as you MAINTAIN the VPN/jumpbox, no se

[raymorris]

"you could never really trust that machine, right?"

That's exactly the "mitigation". You don't trust it.
Much like any machine running Windows. :)

But seriously, you don't trust JavaScript on random web pages, right? You use the JavaScript to play the game or whatever on the web page; you don't trust it.

If the bad guy owns the BIOS, the bad guy owns the machine. So it's the bad guy's machine. Just like any random web server you might use - it's presumably been compromised by a bad guy. Which means I use the S

Re:

[The123king]

60 years ago, it was possible to run programs from anywhere in a university campus, as long as there was a dropbox for your punch cards and a pigeon hole for the results. Oh, and 24 hrs for the operators to actually run your program. I imagine at Intel, they'll be a team of guys/gals in white coats setting up experiments and running programs, then submitting results via a secure network. The actual hardware being operated would probably be stored in a climate-controlled warehouse and only powered up when ne

Re:

[redmid17]

The article actually tells us how its done

Re:

[The123king]

You're on /. Do you think people actually read the articles?

Re:

[AmiMoJo]

They mean physically secure, so that the parts won't be stolen and won't be destroyed by a fire.

I am stunned it took them this long

[redmid17]

security testing is usually a lower priority than pushing profitable products and C level execs are loathe to fund anything that isn't a profit center, but I am absolutely floored that they didnt have a formal, company wide security testing standard until a few years ago. Remote testing obviously is a level up but given the volume:

Marcel Cortes Beer, a manager at the lab, said it gets about 1,000 requests a month to build equipment for remote security tests, and 50 new devices come in weekly.

I am amaz

What security research?

[Canberra1]

Security research is near worthless, when decision makers who caused the speculative execution flaws not to be fired or roasted over hot coals. I have motherboards, that will never see microcode patches. Once I was told Intel was only chosen, because the documentation was good, relative to others. That went out the door, when SystemOnaChip chips came out (Intel makes money on 'glue' chips'. Now cost decisions mean price has moved to first place, with ARM having got away, even though some arm chips inherited

Re:

[NateFromMich]

The entire point of this advertisement we're reading is to convince people that Intel is serious about these exploits. This announcement was probably planned in a boardroom that started with a conversation about their brand image.

Re:

[RightSaidFred99]

Oooh, wow, insightful! You mean something a for-profit company has PR'd is intended to bolster the reputation of that company?! You've really got a handle on things, I'll give you that.

Re:

[reanjr]

It's sad if their docs have gotten worse. I remember working with AMD64 back in the day, and Intel's docs were great. Well documented technology is so much nicer to work with.

Re:

[Canberra1]

Well, there have to be few hidden details to hide microcode and TPM patches. It would not do to break direct video output (Hollywood says no) or enable cpu serial numbers to change (that may hurt Google and FB). Then with Spectre etc, the performance hit - had to be covered up. You wont hear the phrase 'Product compromise' or 'Product pushing' but it is there. Like every other disaster, Intel had to disclose and release early, the stuff it had on paper to dent AMD and ARM. Thanks to TSMC, I dont think Intel

Re:

[RightSaidFred99]

What the fuck? How sad does one have to be to SPAM slashdot with ads using generic text representing the post being replied to? Jesus Christ, now I'm depressed.

Security problems in legacy chips

[drinkypoo]

That's easy, Intel can just point to any of the processors they've made in ages and say "and there's another processor where we deliberately compromised security to get a leg up on AMD."

So Helpful!

[DarkOx]

The lab brings commercial value to Intel, [said Mohsen Fazlian, general manager of Intel's product assurance and security unit.], citing company research that shows customers are more likely to buy technology from manufacturers that proactively test their products.

Given we are talking about large micro processors, network and storage controllers, and chipset products here which generally can't be just be swapped for contemporary replacements this seems rather self serving to me. If you find a vulnerability in these things your options are basically; replace it and probably most of the machine around it at the same time; disable the affected features which is often so crippling you'll want to replace it anyway; or ignore the issue and hope for the best. This isn't lik

Really?

[nospam007]

A company thinks 10 years ahead?
Call me shocked!

secret, secure location?

[Virtucon]

It's in Costa Rica, I'm sure a few satellite images will sort it out. You also know damn well that their competitors know where it is and most likely China and US authorities too.