Intel Warned Chinese Companies of Chip Flaws Before U.S. Government

325 点作者 propman超过 7 年前

17 条评论

zaxomi超过 7 年前

> It is a “near certainty” Beijing was aware of the conversations between Intel and its Chinese tech partners, because authorities there routinely monitor all such communications, Mr. Williams said.Doesn't that mean that it is a “near certainty” that the U.S. Government was aware of it, because authorities (NSA, etc) routinely monitor all such communications?

评论 #16254980 未加载

评论 #16253356 未加载

评论 #16255942 未加载

评论 #16254928 未加载

评论 #16253226 未加载

评论 #16254880 未加载

phkahler超过 7 年前

The US government is not a PC maker. The goal of the disclosure was to help companies figure out how to patch systems. Why would anyone expect the government to be notified first?

评论 #16253929 未加载

评论 #16253403 未加载

评论 #16253418 未加载

评论 #16253489 未加载

评论 #16253174 未加载

评论 #16254816 未加载

评论 #16254685 未加载

评论 #16253256 未加载

评论 #16254309 未加载

评论 #16254415 未加载

amluto超过 7 年前

> An Intel spokesman declined to identify the companies it briefed before the scheduled Jan. 9 announcement. The company wasn’t able to tell everyone it had planned to, including the U.S. government, because the news was made public earlier than expected, he said.That seems to imply that Intel had planned to tell the US government some time between Jan 3 and Jan 9. That seems rather late.I think that the distros list was notified before that, and I'd be quite surprised if there aren't a couple of government agencies monitoring it.This article doesn't seem to say when the Chinese vendors were notified.

DannyBee超过 7 年前

It's interesting how many folks in this thread claim the US government is a "huge" intel customer. I do not believe that to be true. Certainly, they buy computers with Intel chips in them, but in terms of chip purchases (IE who intel was probably notifying), they are probably nowhere in volume.Intel has 8 customers accounting for 75% of revenue[1].By numbers, America and Taiwan are tied for third in terms of volume per country. Singapore is #1, followed by China.Even for just client computing, 3 customers account for 38% of their revenue.None are the US government[2][1] <a href="https://www.investopedia.com/articles/markets/100214/inside-intel-look-mega-chipmaker.asp" rel="nofollow">https://www.investopedia.com/articles/markets/100214/inside-...</a> [2] <a href="https://www.sec.gov/Archives/edgar/data/50863/000005086317000012/a10kdocument12312016q4.htm" rel="nofollow">https://www.sec.gov/Archives/edgar/data/50863/00000508631700...</a>

Groxx超过 7 年前

The timetable is a bit strewn throughout the article, but from what I can make out:June: Google reports the problem to Intel.Soon after: Intel/Google (unclear) informs related businesses (Lenovo, Microsoft, Amazon, ARM Holdings, others?).Jan 3: Vulnerability leaked ahead of planned Jan 9 reveal.A 6 month window where apparently nobody informed the US Gov. I'm legitimately kinda surprised - if it were a small window, meh, but clearly they (and every other government) would have wanted an earlier warning since they'd likely be vulnerable. That's a gigantic window for the info to leak and an automated exploit to be built (just look how fast it happened when the news became public).

评论 #16254875 未加载

评论 #16255569 未加载

foobarbazetc超过 7 年前

Lenovo was the #1 manufacturer of PCs worldwide in 2016.<a href="https://en.wikipedia.org/wiki/Market_share_of_personal_computer_vendors" rel="nofollow">https://en.wikipedia.org/wiki/Market_share_of_personal_compu...</a>So... what’s the problem exactly?

评论 #16253789 未加载

评论 #16254768 未加载

NotSammyHagar超过 7 年前

This series of flaws surprised me, I now really see why you want to run government computing on their own cloud. I naively trusted that vm separation would be enough and you couldn't leak things that way. I know there have already been flaws exposed where the memory wasn't scrubbed between sessions but I thought that was all fixed :-)And the same idea applies to businesses that are suspicious of cloud computing security issues. Of course, these are probably obvious to everyone here and it's why these flaws are a big deal, cause a lot of cpus have been sold for cloud/vm installations, now what.

评论 #16253786 未加载

adamnemecek超过 7 年前

I’m guessing that the Chinese govt is a lot more likely to drop intel than the us one.

评论 #16253090 未加载

评论 #16253077 未加载

vinay_ys超过 7 年前

Google Project Zero researchers discovered this bug in May, 2017. They notified Intel, AMD, ARM and likely other chip-makers (Qualcomm, Broadcom, Marvel, Microtek, Huawei etc) directly. Intel is just the lead actor in this mega-production.See this bug report by Jann Horn: <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1272" rel="nofollow">https://bugs.chromium.org/p/project-zero/issues/detail?id=12...</a>Then each of these chip makers would have notified their direct customers who make original equipment (motherboards, SoCs, Add-on card etc). Then they would have to notify their firmware/software partner/vendors who have to fix the issue.Since this was such a serious issue and at least 2 quarterly results were posted by all these publicly traded companies, I'm sure their lawyers, their external independent risk consultants, key members of the board and key investors were also told - especially as CYA when deciding to keep it a secret while giving market guidance (which had to be knowingly false?).Each of these disclosures would have gone with boilerplate embargo legalese (bad things will happen to you if you speak about it). But all of them would have taken actions ranging for good to bad to evil (from insider stock trading to actively looking for ways to exploit the bug for competition spying).While all this is going on, why would government not have known about this? Wouldn't one of the government certification programs like NIST FEDRAMP mandatorily require them to be notified of any vulnerabilities monthly?And of course, all govt spy agencies would have surely known about this vulnerability as early as July/August given the amount of cross-continent communication that would have happened on this topic. And it's a whole another matter if they used the exploit for any operational/tactical advantage for any ongoing operations or as a backdoor installation for future operations, it's anyone's guess. If they did do that, we cannot be surprised because that is definitely their job. Thinking any other way is not part of the security mindset. It's not the trust everyone kind of thinking that lead to discovery of this vulnerability in the first place.

behringer超过 7 年前

Intel wanted to protect their customers before the US attacked them.

评论 #16254132 未加载

mr_spothawk超过 7 年前

Didn't a Google researcher identify the flaw in the first case? If Alphabet (aka, public-NSA) didn't clue in the gov, I'd be incredibly surprised.

williamscales超过 7 年前

I would be very surprised if the NSA did not already know about these vulnerabilities. It's unfortunate that we can't count on the NSA doing the responsible thing for national security (which would be to notify Intel). But if these bugs were found by several independent researchers this year, it's hard for me to believe that the NSA didn't already find them. If they didn't, they are falling down on the job.

评论 #16253435 未加载

boyinschool超过 7 年前

With China being a much larger consumer than the U.S.[0], it is a logical decision to warn those first who would have a larger loss than others. Ultimately, by preventing China from gaining vulnerabilities, we in turn will help the U.S. in a greater sense by hopefully achieving a >95% protection rate on chips."In 2012, China consumed 33% of the world’s integrated circuits (i.e. microchips) while the US consumed only 13.5%"[0]<a href="https://qz.com/72542/china-just-surpassed-the-us-in-semiconductor-manufacturing-and-the-trend-is-likely-to-accelerate/" rel="nofollow">https://qz.com/72542/china-just-surpassed-the-us-in-semicond...</a>

lawl超过 7 年前

The HN policy of allowing paywalls with a bypass should really be changed to allowing links to the bypass: <a href="https://l.facebook.com/l.php?u=https://www.wsj.com/articles/intel-warned-chinese-companies-of-chip-flaws-before-u-s-government-1517157430" rel="nofollow">https://l.facebook.com/l.php?u=https://www.wsj.com/articles/...</a>

评论 #16254413 未加载

评论 #16253534 未加载

评论 #16253103 未加载

jwilk超过 7 年前

Paywall-free archived copy:<a href="https://archive.is/stHQc" rel="nofollow">https://archive.is/stHQc</a>

averagewall超过 7 年前

Surely no vulnerabilities should be disclosed to the US government earlier than the public because it does abuse them to hack people's computers, and it doesn't make its own systems that would need protecting any more than private companies do. It's like giving a hacker group advanced notification.Imagine the roles being reversed. Would we care if a Chinese chip maker notified Google before the Chinese government? I'm sure nobody on HN would be complaining. That makes it look like naive American-centrism.

评论 #16253644 未加载

chx超过 7 年前

So Intel knowingly ships faulty chips which smells of fraud and reveals a weakness in all of USA computers to another country which is known to employ cybercriminals ... how on earth do they get away scot free? No criminal charges?

评论 #16253292 未加载

评论 #16253309 未加载

评论 #16254775 未加载