> It is a “near certainty” Beijing was aware of the conversations between Intel and its Chinese tech partners, because authorities there routinely monitor all such communications, Mr. Williams said.
Doesn't that mean that it is a “near certainty” that the U.S. Government was aware of it, because authorities (NSA, etc) routinely monitor all such communications?
The state of communications interception is a bit different in China. In the US it is opportunistic. In China it is mandatory and baked into the internet backbone, the cloud providers, and all communication providers.
There's a big difference between "gathered the communications" and "is aware of their contents". When you gather everything you merely have the potential to be aware of things you maybe should be aware of. Finding which needles in the stack of needles are of interest is difficult.
It is entirely possible that without being told neither government could have become aware of this in spite of having the communications that could make them aware if only someone read them. It's also entirely possible that the Chinese government became aware from being told by folks at those Chinese companies who received disclosures, and that the U.S. government wasn't. Eventually we might find out what the actual situation was.
From a purely legal and policy standpoint, the linked report is concerning. One would think that Intel ought to be aware of the national security implications of Meltdown/Spectre and should have alerted someone in the U.S. government, though they're probably not obligated to. And, of course, what if Intel had not be an American company?
Seems a generally-accepted-leaning-to-be-true assumption regarding NSA (or any nation-state-backed security or spying agencies with advanced technologies in a similar level as US).
The US government is not a PC maker. The goal of the disclosure was to help companies figure out how to patch systems. Why would anyone expect the government to be notified first?
The US Government has national defense responsibilities. Providing such exploit information to Chinese companies, many with strong ties to the PLA and other government organs, without notifying your own government first, seems irresponsible.
Notifying the government early would only serve towards helping the government temporarily exploit this vulnerability for intelligence purposes. It wouldn't make sense to notify them until progress was made with mitigations.
Is this a joke? Why would you not expect such a major American company to notify their government, when the government is one of their biggest customers?
> An Intel spokesman declined to identify the companies it briefed before the scheduled Jan. 9 announcement. The company wasn’t able to tell everyone it had planned to, including the U.S. government, because the news was made public earlier than expected, he said.
That seems to imply that Intel had planned to tell the US government some time between Jan 3 and Jan 9. That seems rather late.
I think that the distros list was notified before that, and I'd be quite surprised if there aren't a couple of government agencies monitoring it.
This article doesn't seem to say when the Chinese vendors were notified.
It's interesting how many folks in this thread claim the US government is a "huge" intel customer.
I do not believe that to be true. Certainly, they buy computers with Intel chips in them, but in terms of chip purchases (IE who intel was probably notifying), they are probably nowhere in volume.
Intel has 8 customers accounting for 75% of revenue[1].
By numbers, America and Taiwan are tied for third in terms of volume per country. Singapore is #1, followed by China.
Even for just client computing, 3 customers account for 38% of their revenue.
The timetable is a bit strewn throughout the article, but from what I can make out:
June: Google reports the problem to Intel.
Soon after: Intel/Google (unclear) informs related businesses (Lenovo, Microsoft, Amazon, ARM Holdings, others?).
Jan 3: Vulnerability leaked ahead of planned Jan 9 reveal.
A 6 month window where apparently nobody informed the US Gov. I'm legitimately kinda surprised - if it were a small window, meh, but clearly they (and every other government) would have wanted an earlier warning since they'd likely be vulnerable. That's a gigantic window for the info to leak and an automated exploit to be built (just look how fast it happened when the news became public).
This series of flaws surprised me, I now really see why you want to run government computing on their own cloud. I naively trusted that vm separation would be enough and you couldn't leak things that way. I know there have already been flaws exposed where the memory wasn't scrubbed between sessions but I thought that was all fixed :-)
And the same idea applies to businesses that are suspicious of cloud computing security issues. Of course, these are probably obvious to everyone here and it's why these flaws are a big deal, cause a lot of cpus have been sold for cloud/vm installations, now what.
Yup. Especially since China is already manufacturing their own x86 through a joint venture with Via Technologies. [0]
After the Meltdown/Spectre fiasco with Intel I'd be willing to bet China is weighing the performance penalty of switching to Zhaoxin CPUs versus paying Intel for buggy (and potentially backdoored via IME) CPUs.
The Chinese have shown over the past decades that they're fully capable of innovating and building strong businesses in segments where they didn't previously compete (Huawei in telco, Lenovo in consumer PCs, Xiaomi in smartphones).
Given that AMD was able to come up with Zen on a shoestring budget, who can say China can't do the same? They can certainly afford to throw money at R&D.
Google Project Zero researchers discovered this bug in May, 2017. They notified Intel, AMD, ARM and likely other chip-makers (Qualcomm, Broadcom, Marvel, Microtek, Huawei etc) directly. Intel is just the lead actor in this mega-production.
Then each of these chip makers would have notified their direct customers who make original equipment (motherboards, SoCs, Add-on card etc). Then they would have to notify their firmware/software partner/vendors who have to fix the issue.
Since this was such a serious issue and at least 2 quarterly results were posted by all these publicly traded companies, I'm sure their lawyers, their external independent risk consultants, key members of the board and key investors were also told - especially as CYA when deciding to keep it a secret while giving market guidance (which had to be knowingly false?).
Each of these disclosures would have gone with boilerplate embargo legalese (bad things will happen to you if you speak about it). But all of them would have taken actions ranging for good to bad to evil (from insider stock trading to actively looking for ways to exploit the bug for competition spying).
While all this is going on, why would government not have known about this? Wouldn't one of the government certification programs like NIST FEDRAMP mandatorily require them to be notified of any vulnerabilities monthly?
And of course, all govt spy agencies would have surely known about this vulnerability as early as July/August given the amount of cross-continent communication that would have happened on this topic. And it's a whole another matter if they used the exploit for any operational/tactical advantage for any ongoing operations or as a backdoor installation for future operations, it's anyone's guess. If they did do that, we cannot be surprised because that is definitely their job. Thinking any other way is not part of the security mindset. It's not the trust everyone kind of thinking that lead to discovery of this vulnerability in the first place.
I would be very surprised if the NSA did not already know about these vulnerabilities. It's unfortunate that we can't count on the NSA doing the responsible thing for national security (which would be to notify Intel). But if these bugs were found by several independent researchers this year, it's hard for me to believe that the NSA didn't already find them. If they didn't, they are falling down on the job.
With China being a much larger consumer than the U.S.[0], it is a logical decision to warn those first who would have a larger loss than others. Ultimately, by preventing China from gaining vulnerabilities, we in turn will help the U.S. in a greater sense by hopefully achieving a >95% protection rate on chips.
"In 2012, China consumed 33% of the world’s integrated circuits (i.e. microchips) while the US consumed only 13.5%"
Surely no vulnerabilities should be disclosed to the US government earlier than the public because it does abuse them to hack people's computers, and it doesn't make its own systems that would need protecting any more than private companies do. It's like giving a hacker group advanced notification.
Imagine the roles being reversed. Would we care if a Chinese chip maker notified Google before the Chinese government? I'm sure nobody on HN would be complaining. That makes it look like naive American-centrism.
Of course we wouldn’t think negatively of being told first; that’s the whole point.
Assuming you were trying to make a juxtaposition though experiment — what you should be asking is “Would China’s people care if a Chinese chip maker notified the US government first of vulnerabilities in their hardware?”
So Intel knowingly ships faulty chips which smells of fraud and reveals a weakness in all of USA computers to another country which is known to employ cybercriminals ... how on earth do they get away scot free? No criminal charges?
> So Intel knowingly ships faulty chips which smells of fraud and reveals a weakness in all of USA computers to another country which is known to employ cybercriminals
It also reveals weakness in Chinese, Russian and even Venezuelan Intel-based PCs and while you may not agree that customers in these countries deserve to get notified on par with top tier U.S. customers, (questionable stance), Intel clearly does, since at this point, it is a multinational corporation with large customer base outside the U.S.
[+] [-] zaxomi|8 years ago|reply
Doesn't that mean that it is a “near certainty” that the U.S. Government was aware of it, because authorities (NSA, etc) routinely monitor all such communications?
[+] [-] lordlimecat|8 years ago|reply
[+] [-] akerro|8 years ago|reply
[+] [-] cryptonector|8 years ago|reply
It is entirely possible that without being told neither government could have become aware of this in spite of having the communications that could make them aware if only someone read them. It's also entirely possible that the Chinese government became aware from being told by folks at those Chinese companies who received disclosures, and that the U.S. government wasn't. Eventually we might find out what the actual situation was.
From a purely legal and policy standpoint, the linked report is concerning. One would think that Intel ought to be aware of the national security implications of Meltdown/Spectre and should have alerted someone in the U.S. government, though they're probably not obligated to. And, of course, what if Intel had not be an American company?
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] justicezyx|8 years ago|reply
[+] [-] angry_octet|8 years ago|reply
[+] [-] phkahler|8 years ago|reply
[+] [-] tomohawk|8 years ago|reply
[+] [-] Sephr|8 years ago|reply
[+] [-] tree_of_item|8 years ago|reply
[+] [-] bllguo|8 years ago|reply
[+] [-] achamayou|8 years ago|reply
[+] [-] rdlecler1|8 years ago|reply
[+] [-] kumarvvr|8 years ago|reply
No matter who is manufacturing what, it's Intels responsibility to ensure all those who _use_ their chips know of it immediately.
[+] [-] throwaway7645|8 years ago|reply
[+] [-] booleandilemma|8 years ago|reply
[+] [-] nsainside|8 years ago|reply
[+] [-] amluto|8 years ago|reply
That seems to imply that Intel had planned to tell the US government some time between Jan 3 and Jan 9. That seems rather late.
I think that the distros list was notified before that, and I'd be quite surprised if there aren't a couple of government agencies monitoring it.
This article doesn't seem to say when the Chinese vendors were notified.
[+] [-] DannyBee|8 years ago|reply
Intel has 8 customers accounting for 75% of revenue[1].
By numbers, America and Taiwan are tied for third in terms of volume per country. Singapore is #1, followed by China.
Even for just client computing, 3 customers account for 38% of their revenue.
None are the US government[2]
[1] https://www.investopedia.com/articles/markets/100214/inside-... [2] https://www.sec.gov/Archives/edgar/data/50863/00000508631700...
[+] [-] Groxx|8 years ago|reply
June: Google reports the problem to Intel.
Soon after: Intel/Google (unclear) informs related businesses (Lenovo, Microsoft, Amazon, ARM Holdings, others?).
Jan 3: Vulnerability leaked ahead of planned Jan 9 reveal.
A 6 month window where apparently nobody informed the US Gov. I'm legitimately kinda surprised - if it were a small window, meh, but clearly they (and every other government) would have wanted an earlier warning since they'd likely be vulnerable. That's a gigantic window for the info to leak and an automated exploit to be built (just look how fast it happened when the news became public).
[+] [-] empath75|8 years ago|reply
[+] [-] foobarbazetc|8 years ago|reply
[+] [-] foobarbazetc|8 years ago|reply
https://en.wikipedia.org/wiki/Market_share_of_personal_compu...
So... what’s the problem exactly?
[+] [-] foobarbazetc|8 years ago|reply
https://www.itwire.com/security/81538-intel-ceo-sold-shares-...
So... a bunch of OEMs were told in November.
I just don’t understand the significance of the China angle here.
[+] [-] eccbits|8 years ago|reply
[+] [-] NotSammyHagar|8 years ago|reply
And the same idea applies to businesses that are suspicious of cloud computing security issues. Of course, these are probably obvious to everyone here and it's why these flaws are a big deal, cause a lot of cpus have been sold for cloud/vm installations, now what.
[+] [-] chisleu|8 years ago|reply
[+] [-] adamnemecek|8 years ago|reply
[+] [-] kogepathic|8 years ago|reply
After the Meltdown/Spectre fiasco with Intel I'd be willing to bet China is weighing the performance penalty of switching to Zhaoxin CPUs versus paying Intel for buggy (and potentially backdoored via IME) CPUs.
The Chinese have shown over the past decades that they're fully capable of innovating and building strong businesses in segments where they didn't previously compete (Huawei in telco, Lenovo in consumer PCs, Xiaomi in smartphones).
Given that AMD was able to come up with Zen on a shoestring budget, who can say China can't do the same? They can certainly afford to throw money at R&D.
[0] https://techreport.com/news/33018/via-joint-venture-reveals-...
[+] [-] downrightmike|8 years ago|reply
[+] [-] vinay_ys|8 years ago|reply
See this bug report by Jann Horn: https://bugs.chromium.org/p/project-zero/issues/detail?id=12...
Then each of these chip makers would have notified their direct customers who make original equipment (motherboards, SoCs, Add-on card etc). Then they would have to notify their firmware/software partner/vendors who have to fix the issue.
Since this was such a serious issue and at least 2 quarterly results were posted by all these publicly traded companies, I'm sure their lawyers, their external independent risk consultants, key members of the board and key investors were also told - especially as CYA when deciding to keep it a secret while giving market guidance (which had to be knowingly false?).
Each of these disclosures would have gone with boilerplate embargo legalese (bad things will happen to you if you speak about it). But all of them would have taken actions ranging for good to bad to evil (from insider stock trading to actively looking for ways to exploit the bug for competition spying).
While all this is going on, why would government not have known about this? Wouldn't one of the government certification programs like NIST FEDRAMP mandatorily require them to be notified of any vulnerabilities monthly?
And of course, all govt spy agencies would have surely known about this vulnerability as early as July/August given the amount of cross-continent communication that would have happened on this topic. And it's a whole another matter if they used the exploit for any operational/tactical advantage for any ongoing operations or as a backdoor installation for future operations, it's anyone's guess. If they did do that, we cannot be surprised because that is definitely their job. Thinking any other way is not part of the security mindset. It's not the trust everyone kind of thinking that lead to discovery of this vulnerability in the first place.
[+] [-] behringer|8 years ago|reply
[+] [-] f4rker|8 years ago|reply
[deleted]
[+] [-] mr_spothawk|8 years ago|reply
[+] [-] williamscales|8 years ago|reply
[+] [-] appstateguy|8 years ago|reply
[0] https://www.washingtonpost.com/world/national-security/the-n...
[+] [-] boyinschool|8 years ago|reply
"In 2012, China consumed 33% of the world’s integrated circuits (i.e. microchips) while the US consumed only 13.5%"
[0]https://qz.com/72542/china-just-surpassed-the-us-in-semicond...
[+] [-] lawl|8 years ago|reply
[+] [-] Pyxl101|8 years ago|reply
[+] [-] oneweekwonder|8 years ago|reply
[+] [-] GirlsCanCode|8 years ago|reply
[deleted]
[+] [-] jwilk|8 years ago|reply
https://archive.is/stHQc
[+] [-] averagewall|8 years ago|reply
Imagine the roles being reversed. Would we care if a Chinese chip maker notified Google before the Chinese government? I'm sure nobody on HN would be complaining. That makes it look like naive American-centrism.
[+] [-] electrograv|8 years ago|reply
Assuming you were trying to make a juxtaposition though experiment — what you should be asking is “Would China’s people care if a Chinese chip maker notified the US government first of vulnerabilities in their hardware?”
[+] [-] chx|8 years ago|reply
[+] [-] netsharc|8 years ago|reply
I suppose in the eyes of these governments, they are.
I wonder if Intel just did it over the unsecured line, knowing that the NSA/FBI wiretaps that one...
[+] [-] AsyncAwait|8 years ago|reply
It also reveals weakness in Chinese, Russian and even Venezuelan Intel-based PCs and while you may not agree that customers in these countries deserve to get notified on par with top tier U.S. customers, (questionable stance), Intel clearly does, since at this point, it is a multinational corporation with large customer base outside the U.S.
[+] [-] eccbits|8 years ago|reply