Intel Fails To Get Spectre, Meltdown Chip Flaw Class-action Suit Tossed Out (theregister.com) 32
"Intel will have to defend itself against claims that the semiconductor goliath knew its microprocessors were defective and failed to tell customers," reports the Register:
On Wednesday, Judge Michael Simon, of the US District Court of Oregon, partially denied the tech giant's motion to dismiss a class-action lawsuit arising from the 2018 public disclosure of Meltdown and Spectre, the family of data-leaking chip microarchitecture design blunders....
To defend against Meltdown and Spectre, Intel and other affected vendors have had to add software and hardware mitigations that for some workloads make patched processors mildly to significantly slower. The disclosure of related flaws has continued since that time, as researchers develop variations on the initial attacks and find other parts of chips that similarly expose privileged data. It is a problem that still is not entirely solved...
[L]awsuits have been consolidated into a multi-district proceeding known as "Intel Corp. CPU Marketing, Sales Practices and Products Liability Litigation" (3:18-md-02828-SI). And since 2018, Intel has been trying to get them to go away. Twice before the judge had dismissed the plaintiffs' complaint while allowing the plaintiffs to amend and refile their allegations. This third time, the judge only partially granted Intel's motion to toss the case. Judge Simon dismissed claims based on purchases up through August 2017 because Intel was unaware of the microarchitecture vulnerabilities up to that point. But he allowed seven claims, from September 2017 onward, to proceed, finding the plaintiffs' contention that Intel delayed disclosure of the flaws to maximize holiday season sales plausible enough to allow the case to move forward.
"Based on plaintiffs' allegations, it is not clear that Intel had a countervailing business interest other than profit for delaying disclosure for as long as it did (through the holiday season), for downplaying the negative effects of the mitigation, for suppressing the effects of the mitigation, and for continuing to embargo further security exploits that affect only Intel processors," the judge wrote in his order. [PDF]
To defend against Meltdown and Spectre, Intel and other affected vendors have had to add software and hardware mitigations that for some workloads make patched processors mildly to significantly slower. The disclosure of related flaws has continued since that time, as researchers develop variations on the initial attacks and find other parts of chips that similarly expose privileged data. It is a problem that still is not entirely solved...
[L]awsuits have been consolidated into a multi-district proceeding known as "Intel Corp. CPU Marketing, Sales Practices and Products Liability Litigation" (3:18-md-02828-SI). And since 2018, Intel has been trying to get them to go away. Twice before the judge had dismissed the plaintiffs' complaint while allowing the plaintiffs to amend and refile their allegations. This third time, the judge only partially granted Intel's motion to toss the case. Judge Simon dismissed claims based on purchases up through August 2017 because Intel was unaware of the microarchitecture vulnerabilities up to that point. But he allowed seven claims, from September 2017 onward, to proceed, finding the plaintiffs' contention that Intel delayed disclosure of the flaws to maximize holiday season sales plausible enough to allow the case to move forward.
"Based on plaintiffs' allegations, it is not clear that Intel had a countervailing business interest other than profit for delaying disclosure for as long as it did (through the holiday season), for downplaying the negative effects of the mitigation, for suppressing the effects of the mitigation, and for continuing to embargo further security exploits that affect only Intel processors," the judge wrote in his order. [PDF]
This sounds reasonable. (Score:2)
Either they new and covered it up or they didn't know. It makes sense to figure that out in court and hold them accountable if they knew.
Re: (Score:2)
But it's pretty hard to prove a negative, so I think this is just another winning game for the lawyers. It reminds me of the old small-town joke about "Two lawyers can make a living where one can't." I think proving ignorance has to fail, so they'll need to prove that Intel made a testable claim that was false, and that Intel is therefore liable for not doing the test. But I also think Intel's lawyers are rather too smart to have allowed that to happen.
But just maybe the Intel marketing droids were running
Re:This sounds reasonable. (Score:5, Insightful)
Anyways, they just have to prove that Intel knew, and they can show evidence by going back in time and showing that Intel at one point cared about this particular kind of security flaw by using designed that avoided it and only when AMD was cleaning their clock did they redesign their CPU's to their "Core" series, and every one of these modern side-channel security flaws was suddenly introduced.
Re: (Score:2)
Absolute security isn't a thing. In every design there is a trade off with respect to speed, functionality, or features.
Simply introducing something that reduces security in favour of speed doesn't make them guilty of anything other than designing a product which favours speed, something that Intel's customers were objectively in favour of (which is self evident given how the overwhelming majority of the world chose *not* to mitigate the problem in favour of the higher performance).
Re: (Score:2)
Re: (Score:2)
The plaintiffs do not have to prove absolute security. They just need to prove that Intel either knew or should have known that there were flaws.
No they don't. They need to prove a claim of unreasonableness. Simply knowing about flaws doesn't make someone liable for anything. Also do you understand what the word "risk" means? You're use the term in absolutes. There only way to run a computer risk free is to not run it, better still burn it in case someone comes and steals it, since that is also a risk. The presence of a risk doesn't make anyone liable neither does ignoring said risk in favour of something else like speed.
The question is: Is the risk
Re: (Score:2)
Simply knowing about flaws doesn't make someone liable for anything.
Grimshaw v Ford [slashdot.org] says otherwise. Ford knew the Pinto had flaws and ignored them.
Also do you understand what the word "risk" means?
In the case of Grimshaw v Ford [spokesman.com], Ford internally did a calculation that it was cheaper to pay for lawsuits than it was for a recall.
You're use the term in absolutes. There only way to run a computer risk free is to not run it, better still burn it in case someone comes and steals it, since that is also a risk. The presence of a risk doesn't make anyone liable neither does ignoring said risk in favour of something else like speed.
You seem to arguing every single hypothetical instead of the simple question of whether Intel knew there was a security risk and chose to ignore it.
The question is: Is the risk unreasonable, and the industry which has effectively ignored it for most cases even going as far as disabling mitigations by default has spoken quite clearly about how reasonable they consider the risk.
Have you look at the car industry? That seems to run counter to your arguments.
Re: (Score:3)
The task here is proving knowledge without contemporaneous disclosure, which is shockingly easy to do when you have tens of thousands of employees and an email system. People talk amongst themselves, and eDiscovery tools allow one to find it.
Because Intel has never made security claims [intel.com] in connection with virtualization and SGX. Not once.
Re: (Score:2)
I'm not following you here. It sounds like you are fully agreeing with me, but your tone sounds like you're disagreeing. Is it related to how you snipped things? Or maybe it's some kind of "wisdom of crowds" thing?
Re: (Score:2)
which is shockingly easy to do when you have tens of thousands of employees and an email system. People talk amongst themselves, and eDiscovery tools allow one to find it.
How are they going to do that? Are they going to have access to all of the employee emails?
Re: (Score:2)
Re: (Score:2)
But it's pretty hard to prove a negative
You don't need to prove a negative in court. It's up to the other party to prove a positive.
Re: (Score:1)
They had to have known the risk existed and exactly how easily it would be to exploit by the time they made the initial press release, because it didn't take me more than about 30 seconds after that to realize myself that it would be dangerous and highly exploitable. I'm certain that I'm on record somewhere saying that at the time.
Re: (Score:2)
It would be similar to the whole Epic vs Apple case that brought up a whole slew of paperwork into the public eye. It might not have shown anything illegal, but it could hurt their business in other ways.
Complexity (Score:3)
Speculative and out of order both speed up execution at the expense of complexity.
Complexity always introduces faults.
K.I.S.S.
Re: (Score:3)
once you are to the point where the instruction set and micro-ops are disjoint and you are pumping through a pipeline your level of analysis changes
Re: (Score:2)
The flaw wasn't even a mistake really, they just figured that they didn't need to ensure correct behaviour because nothing bad would happen if they skipped a few steps in the name of performance. Their mistake was thinking that it couldn't be abused.
Re: (Score:3)
There's a reason why we accept the complexity - speculative execution and out of order execution dramatically speed up a chip. We're not talking small potatoes, we're talking huge gains in speed.
We went from chips that spent multiple clock cycles per instruction to single cycle execution - achieved by pipelining the chip. Superscalar execution allows more than one instruction to be e
Intel Fails To Get Spectre (Score:4, Funny)
James Bond failed for 50 years to get them.
I guess IBM, ARM, MIPS, Sun/Fujitsu will also... (Score:3)
... fill an amicus brief siding with intel.
As all their architectures had Meltdown/Spectre type flaws as well...
If Intel falls, the ambulance chasers will use that precedent to extract money from the other mentioned parties too...
Re:I guess IBM, ARM, MIPS, Sun/Fujitsu will also.. (Score:4, Interesting)
I guess IBM, ARM, MIPS, Sun/Fujitsu will also... fill an amicus brief siding with intel.
As all their architectures had Meltdown/Spectre type flaws as well...
It isn't the flaw Intel is in trouble for.
It's because Intel lied in their public marketing materials and claimed to have removed all speculative branch acceleration circuitry in their latest chips, which they did not actually do.
Re: (Score:2)
It's because Intel lied in their public marketing materials and claimed to have removed all speculative branch acceleration circuitry
Cite? I don't think I've seen Intel advertise anywhere that they were rolling back CPU performance by 20 years.
Speculative branch acceleration is essential in all modern CPUs, except for Itanium, but look how well that worked. I'd be very keen to see where you claim they made this claim.
In fact the current court case is nothing to do with intel advertising what you claim.
Re: (Score:2)
Re: (Score:2)
It depends if the fixes slowed the CPUs down much. AMD had some issues, not as bad as Intel, and was able to fix them in a way that didn't have any measurable impact on performance. Intel's fixes dramatically crippled performance.
Re: (Score:2)
Eagerly awaiting the court judgement (Score:3)
I'm all ready to receive my check for three dollars.
Re: (Score:3)
I'm all ready to receive my check for three dollars.
Three dollars? Look at Mr. Fancy Pants flouting his wealth.
Re: (Score:2)
That would be flaunting, but this NaziMantic will give you a pass.
Re: (Score:2)
Crap. Yup, moron is me.
Getting Spectre (Score:2)