Date: Sun, 07 Jan 2018 17:43:50 -0800 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: freebsd-security@freebsd.org Subject: Re: Re "Intel responds to security research findings" Message-ID: <11633.1515375830@segfault.tristatelogic.com> In-Reply-To: <8ad62a54-cfc4-6d97-4045-303e6ee7806d@erdgeist.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <8ad62a54-cfc4-6d97-4045-303e6ee7806d@erdgeist.org>,
Dirk Engling <erdgeist@erdgeist.org> wrote:
>On 03.01.18 22:14, Ed Maste wrote:
>
>> The FreeBSD Security Team recently learned of the details of these
>> issues that affect certain CPUs.
>
>Can you say, at what day you were informed?
Yes. What did the team know and when did it know it?
"There is a cancer growing on the Translation Lookaside Buffer."
-- John Dean
-- March 21, 1973
But seriously folks, although I have nothing but admiration for, and
complete faith in the FreeBSD security team, specifically, and although
I am completely sure that THEY have done, and will do, the Right Thing,
I do wonder about a whole helluva lot of the other actors in this drama.
Public reports indicate that various parties have known about either
Meltdown or Spectre or both for something on the order of six months.
Is it at all likely that any of the researchers who discovered these
things would have waited months before informing Intel, Microsoft, or
both? That seems highly unlikely.
All this adds up to yet another marvelous opportunity for me to vent
spleen about the peculiar foibles of our civil (in)justice system
here in the U.S. (My apologies to anyone who thinks this is off-topic
for this list. Under the present circumstances, I am not persuaded that
it is.)
What's going to happen now is as predictable as it is inevitable, at
least here in the U.S. The various individual and class action lawsuits
will proceed apace, at the usual snail's pace of civil litigation, over
the coming months and years, and all of the various Plaintiff counsels
will be granted pre-trial discovery, a great deal of which will seek
to determine when Intel, ARM, and AMD knew about these flaws, and how
many billions of dollars of known buggy chips they all knowingly shiped
and sold (to all of us unsuspecting fools) thereafter.
The responses to all of these discovery requests and motions will, alas,
all be shrouded in the gretest of secrecy measures, or, as they are known
in the legal profession, "protective orders". As a result, us poor sods
who are not parties to any of the litigation (and even many or most of
the actual plaintiffs) will never even find out just how much garbage
these companies continued to ship out after they had been fully and fairly
informed of these problems.
Worse yet, the various attorneys for the Plaintiffs will most certainly
use these embargoed bits of (potential liability) information as leverage
to extract bigger settlements, even though they'll all be more than happy
to carry these secrets to their graves... for the right price. Their
"got you over a barrel" offer to the defendants in these cases will be
simple: "Pay up, and pay us through the nose, or will will go to trial
and in open court the whole world will learn that you just kept on
dumping this buggy crap into your distributor pipeline, literally for
months, after you knew about the problem(s)."
And the defendants *will* pay up. The result being that none of us, the
great unwashed masses, will ever find out the true depths of what went
on here, and how the production lines were ordered, by top brass, to
just keep on humming along, 24/7, in three shifts, even well after the
same top brass should have stopped them and waited for new (corrected)
photomasks.
One doesn't have to look far, even in very recent history, to find
examples of this exact legal scenario playing out. Just google for
"Harvey Weinstein secret settlements" and start reading.
Bottom line: If you are willing to pay up, you can get almost anything
swept under the carpet, with the aid and assistance of corporate-defendant-
friendly judges who are only too happy to give out protective orders like
candy.
It can be argued, and indeed, I personally WOULD argue, that these kinds
of outcomes of our civil (in)justice system do not serve the public good,
and rather, in fact, that they are counter to the public good, even
through they clearly enrich a small set of lucky Plaintiffs and even
moreso, their attorneys.
But to bring this back on point, I would ask "What did Intel know and when
did it know it?" It would appear that, as of now, the company is still
attempting to make light of the situation, at least in their press
statements, a fact from which I infer that their production lines are
most probably *still* up and running, 24/7 in three shifts, cranking
out even MORE buggy chips, even as we speak. (And likewise for ARM
and AMD.)
Indeed, all three companies are sort-of between a rock and a hard place
at the moment. If they move to curtail production in even the slightest
way, that action alone would provide yet more ammunition to the various
Plaintiff's attorneys. The plaintiff attorneys would certainly jump on
any production halt or slowdown as evidence that the companies do, at
long last, grasp the seriousness of these issues, even if they've only
elected to do so a good six months after they reasonably should have.
And this is the only other point/question I wanted to raise herein: When
does "responsible disclosure" cross the line into irresponsible suppression
of information which, by all rights, consumers should be informed of?
Who has been helped and who has been harmed by the embargoing of the
information about these issues (Meltdown & Spectre) for a full six months?
I can and do well and truly understand the argument that says that a
reasonable period should be allowed for vendors to develop, test, and
release patches, prior to public disclosure, most specifically when it
comes to issues involving demonstratable security compromises, but...
ah... SIX EFFING MONTHS?? Am I the only one who thinks that this is
more than a bit generous (i.e. with respect to the vendors) and/or that
the public interest would have been better served by NOT keeping all
this stuff a secret for quite that long?
How many people and companies have bought chips over the past six months
with no idea that these problems/issues were barreling down the tracks
on a collision course towards them? Did it really require the best minds
within both Intel and Microsoft, working feverishly for a full six months,
to develop the mitigations that have only just been released? How much
of that time was spent by the respective engineering teams enjoying
languid liquid lunches on the terrace followed by their obligatory
afternoon naps?
I understand that the exact parameters of what most people would agree
constitutes "responsible disclosure" are still matters of ongoing and
often (appropriately) heated debates within both the industry and,
increasingly, within government and legal circles also. But although
knowledgable and well-intentioned people may reasonably disagree about
appropriate time frames... particularly when it comes to an issue, or
set of issues with ramifications as huge as Meltdown and Spectre...
I, for one, would like to know if there is anybody on this list, or
elsewhere, who thinks that a full six months delay before general public
disclosure in a case such as this was in any way reasonable.
I, for one, do not feel that it was. And I, for one, see no reasonable
justifiction for such a huge delay before general disclosure, even in
this very unusual and special case.
Keep this in mind: In this case, it isn't just that (purely theoretical,
as far as we know) attackers were given an additional six months to exploit
the holes, there is/was also the additional issue, noted above, that during
these past six months the relevant semiconductor manufacturers have
undoubtedly produced and distributed an untold number of additional buggy
chips, which could, very easily, number into the hundreds of millions.
And lots of somebodys bought all of those buggy chips. As of now, I'm
sure that a lot of them wish they hadn't, or that, at the very least,
they had been permitted to make a fully informed choice. (They wern't.)
One thing, at least, seems clear -- Each of the researchers who found
these issues, some six months ago, from that day onwards carried a heavy
ethical burden, no matter how or when they ultimated elected to disclose
what they had found.
For this reason, I do not envy any of them.
Regards,
rfg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11633.1515375830>