
Intel Warned Chinese Companies of Chip Flaws Before U.S. Government - propman
https://www.wsj.com/articles/intel-warned-chinese-companies-of-chip-flaws-before-u-s-government-1517157430
======
zaxomi
> It is a “near certainty” Beijing was aware of the conversations between
> Intel and its Chinese tech partners, because authorities there routinely
> monitor all such communications, Mr. Williams said.

Doesn't that mean that it is a “near certainty” that the U.S. Government was
aware of it, because authorities (NSA, etc) routinely monitor all such
communications?

~~~
lordlimecat
The state of communications interception is a bit different in China. In the
US it is opportunistic. In China it is mandatory and baked into the internet
backbone, the cloud providers, and all communication providers.

~~~
isomorphic
[https://en.wikipedia.org/wiki/Room_641A](https://en.wikipedia.org/wiki/Room_641A)

I think you mean "overtly mandatory" in China's case.

~~~
rtpg
I get your point. The NSA has anchor points very deep in the system.

The overt, pervasive mandatoriness of the Chinese system is another ballgame
entirely.

If the Chinese gov't shows up and asks for basically anything, of course you
give it. There is no questions, no lawyers. It is how things are done.

US tech companies do have lawyers and fight back at some stuff. Think about
all those defamation cases where people try to sue Twitter to get the
identities of people criticizing them.

How do you think that works in the Chinese social environment?

~~~
dmix
Well if there's lawyers getting involved, or the threat of such, that's what
the five eyes (and the other "n eyes") are for. And then you can just call it
a "minimization error during routine data sharing with foreign intelligence
partners" that happened to sweep up tons of domestic US data.

~~~
rtpg
Right, you end up with this sharing to get around legal issues.

Technical issues are a bit different though. Australian intelligence does not
have rooms in any AT&T building I think. Though perhaps they perform some
legal tricks to give them access and then roundtrip the info.

I hope they at least feel bad doing so.

------
phkahler
The US government is not a PC maker. The goal of the disclosure was to help
companies figure out how to patch systems. Why would anyone expect the
government to be notified first?

~~~
tomohawk
The US Government has national defense responsibilities. Providing such
exploit information to Chinese companies, many with strong ties to the PLA and
other government organs, without notifying your own government first, seems
irresponsible.

~~~
jknz
Any government has national defense responsabilities. With your logic, Intel
is a multinational company and should have informed them all, which leads to
its own kind of problems.

Edit: The only reasonable path seems to inform every government
simultaneously, at the same time as the public. How could the EU possibly let
Intel sell CPUs, and let Intel inform other governments of vulnerabilities
first? So that the other governments have a time window to play with the
vulnerability against the EU?

~~~
tomohawk
Only if you think there is some sort of moral equivalence between the
governments.

~~~
phkahler
There is a practical equivalence between governments. If one government could
make the case that they should be informed, then any government who bought
systems with "Intel Inside" could make the same argument. If you want to split
governments into groups based on some notion of morality then you may want to
question why a company would be allowed to do business with a country on the
wrong side of that morality in the first place. That's actually a discussion
I'd like to see.

~~~
tomohawk
Practically speaking, providing an exploit to the Russian government vs the US
government - that would be a different effect, no? How would you justify
providing the exploit to the North Koreans, or the Iranians?

There is a very practical morality at play here. The Chinese government runs
protesters over with tanks, imprisons people without cause, attacks their
neighbors without cause, etc. Would it be a good thing to aid such a
government?

Putting all governments on the same moral plane is counterproductive and
nonsensical. Not providing important information to your own government so
that they can secure the very systems that protect you - that doesn't seem
very practical.

~~~
sammoorhouse
> The Chinese government runs protesters over with tanks, imprisons people
> without cause, attacks their neighbors without cause, etc.

Oh come on, you're making it too easy!

------
amluto
> An Intel spokesman declined to identify the companies it briefed before the
> scheduled Jan. 9 announcement. The company wasn’t able to tell everyone it
> had planned to, including the U.S. government, because the news was made
> public earlier than expected, he said.

That seems to imply that Intel had planned to tell the US government some time
between Jan 3 and Jan 9. That seems rather late.

I think that the distros list was notified before that, and I'd be quite
surprised if there aren't a couple of government agencies monitoring it.

This article doesn't seem to say _when_ the Chinese vendors were notified.

------
DannyBee
It's interesting how many folks in this thread claim the US government is a
"huge" intel customer. I do not believe that to be true. Certainly, they buy
computers with Intel chips in them, but in terms of chip purchases (IE who
intel was probably notifying), they are probably nowhere in volume.

Intel has 8 customers accounting for 75% of revenue[1].

By numbers, America and Taiwan are tied for third in terms of volume per
country. Singapore is #1, followed by China.

Even for just client computing, 3 customers account for 38% of their revenue.

None are the US government[2]

[1]
[https://www.investopedia.com/articles/markets/100214/inside-...](https://www.investopedia.com/articles/markets/100214/inside-
intel-look-mega-chipmaker.asp) [2]
[https://www.sec.gov/Archives/edgar/data/50863/00000508631700...](https://www.sec.gov/Archives/edgar/data/50863/000005086317000012/a10kdocument12312016q4.htm)

------
Groxx
The timetable is a bit strewn throughout the article, but from what I can make
out:

June: Google reports the problem to Intel.

Soon after: Intel/Google (unclear) informs related businesses (Lenovo,
Microsoft, Amazon, ARM Holdings, others?).

Jan 3: Vulnerability leaked ahead of planned Jan 9 reveal.

A _6 month_ window where apparently _nobody_ informed the US Gov. I'm
legitimately kinda surprised - if it were a small window, meh, but clearly
they (and every other government) would have wanted an earlier warning since
they'd likely be vulnerable. That's a _gigantic_ window for the info to leak
and an automated exploit to be built (just look how fast it happened when the
news became public).

~~~
empath75
There is approximately zero chance that someone at the NSA didn’t find out
about it before it was publicly announced.

~~~
angry_octet
And it has to be assumed that they would already by monitoring the Swiss
research team also.

------
foobarbazetc
Lenovo was the #1 manufacturer of PCs worldwide in 2016.

[https://en.wikipedia.org/wiki/Market_share_of_personal_compu...](https://en.wikipedia.org/wiki/Market_share_of_personal_computer_vendors)

So... what’s the problem exactly?

~~~
eccbits
It's well known that the main cyber threats come from two nationstate actors:
Russia & China.

~~~
foobarbazetc
Yeah but... so what?

They told a bunch of OEMs and they told ARM too. So does that mean they told
GCHQ? Not really.

It would be negligent NOT to tell Lenovo when they make a massive chunk of all
PCs globally.

Thousands of US corporations run Lenovo computers.

------
NotSammyHagar
This series of flaws surprised me, I now really see why you want to run
government computing on their own cloud. I naively trusted that vm separation
would be enough and you couldn't leak things that way. I know there have
already been flaws exposed where the memory wasn't scrubbed between sessions
but I thought that was all fixed :-)

And the same idea applies to businesses that are suspicious of cloud computing
security issues. Of course, these are probably obvious to everyone here and
it's why these flaws are a big deal, cause a lot of cpus have been sold for
cloud/vm installations, now what.

~~~
chisleu
Xen has had plenty of exploits. There are certainly exploits still out there,
maybe even known exploits.

------
adamnemecek
I’m guessing that the Chinese govt is a lot more likely to drop intel than the
us one.

~~~
kogepathic
Yup. Especially since China is already manufacturing their own x86 through a
joint venture with Via Technologies. [0]

After the Meltdown/Spectre fiasco with Intel I'd be willing to bet China is
weighing the performance penalty of switching to Zhaoxin CPUs versus paying
Intel for buggy (and potentially backdoored via IME) CPUs.

The Chinese have shown over the past decades that they're fully capable of
innovating and building strong businesses in segments where they didn't
previously compete (Huawei in telco, Lenovo in consumer PCs, Xiaomi in
smartphones).

Given that AMD was able to come up with Zen on a shoestring budget, who can
say China can't do the same? They can certainly afford to throw money at R&D.

[0] [https://techreport.com/news/33018/via-joint-venture-
reveals-...](https://techreport.com/news/33018/via-joint-venture-reveals-
kx-5000-x86-socs-for-chinese-pcs)

~~~
throwaway7645
They also routinely steal blueprints to US technology as well as the rest of
the world. They make billions in IP theft annually. I'm not saying they can't
innovate (being one of the first advanced civilizations), but they're
currently so behind in many areas that corporate espionage + cheap knockoff is
super profitable. Why spend billions in R&D?

~~~
coldtea
So, just like US in the early days?

Back in 1812, finished cotton textiles dominated British exports, accounting
for about half of all trade revenues, the fruit of a half century of progress
in mechanized mass production. Proportionate to GDP, the industry was about
three times the size of the entire U.S. automobile sector today. High-speed
textile manufacture was a highly advanced technology for its era, and Great
Britain was as sensitive about sharing it as the United States is with
advanced software and microprocessor breakthroughs. The British parliament
legislated severe sanctions for transferring trade secrets, even prohibiting
the emigration of skilled textile workers or machinists. But the Americans had
no respect for British intellectual property protections. They had fought for
independence to escape the mother country’s suffocating economic restrictions.
In their eyes, British technology barriers were a pseudo-colonial ploy to
force the United States to serve as a ready source of raw materials and as a
captive market for low-end manufactures. While the first U.S. patent act, in
1790, specified that "any person or persons" could file a patent, it was
changed in 1793 to make clear that only U.S. citizens could claim U.S. patent
protection.

[http://foreignpolicy.com/2012/12/06/we-were-pirates-
too/](http://foreignpolicy.com/2012/12/06/we-were-pirates-too/)

[https://www.pri.org/stories/2014-02-18/us-complains-other-
na...](https://www.pri.org/stories/2014-02-18/us-complains-other-nations-are-
stealing-us-technology-america-has-history)

~~~
astebbin
Unlike the 18th-century USA, China is party to numerous international treaties
and conventions [0] which obligate it to honor certain IP protections. Their
enforcement record to date has been spotty at best, with many [1] allegations
[2] of state-assisted [3] or -condoned [4] IP [5] theft [6].

Also, between slavery and the Native American genocide(s), I'd say the 18th-
century USA may not be a great moral reference point. For that matter, China's
government at that time still practiced slavery, foot binding, judicial
torture, and all kinds of fun stuff. Neither would be great models for a
modern state.

[0]
[https://en.wikipedia.org/wiki/Intellectual_property_in_China...](https://en.wikipedia.org/wiki/Intellectual_property_in_China#International_conventions)
[1] [http://money.cnn.com/2017/08/14/news/economy/trump-china-
tra...](http://money.cnn.com/2017/08/14/news/economy/trump-china-trade-
intellectual-property/index.html) [2]
[https://www.nytimes.com/2017/08/15/opinion/china-us-
intellec...](https://www.nytimes.com/2017/08/15/opinion/china-us-intellectual-
property-trump.html) [3] [https://www.reuters.com/article/usa-fighter-
hacking/theft-of...](https://www.reuters.com/article/usa-fighter-
hacking/theft-of-f-35-design-data-is-helping-u-s-adversaries-pentagon-
idUSL2N0EV0T320130619) [4] [https://www.cbsnews.com/news/60-minutes-great-
brain-robbery-...](https://www.cbsnews.com/news/60-minutes-great-brain-
robbery-china-cyber-espionage/) [5]
[https://www.networkworld.com/article/2223272/cisco-
subnet/60...](https://www.networkworld.com/article/2223272/cisco-
subnet/60-minutes-torpedoes-huawei-in-less-than-15-minutes.html) [6]
[http://www.politifact.com/punditfact/statements/2016/may/17/...](http://www.politifact.com/punditfact/statements/2016/may/17/newt-
gingrich/newt-gingrich-says-china-stole-360-billion-intelle/)

------
vinay_ys
Google Project Zero researchers discovered this bug in May, 2017. They
notified Intel, AMD, ARM and likely other chip-makers (Qualcomm, Broadcom,
Marvel, Microtek, Huawei etc) directly. Intel is just the lead actor in this
mega-production.

See this bug report by Jann Horn: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1272)

Then each of these chip makers would have notified their direct customers who
make original equipment (motherboards, SoCs, Add-on card etc). Then they would
have to notify their firmware/software partner/vendors who have to fix the
issue.

Since this was such a serious issue and at least 2 quarterly results were
posted by all these publicly traded companies, I'm sure their lawyers, their
external independent risk consultants, key members of the board and key
investors were also told - especially as CYA when deciding to keep it a secret
while giving market guidance (which had to be knowingly false?).

Each of these disclosures would have gone with boilerplate embargo legalese
(bad things will happen to you if you speak about it). But all of them would
have taken actions ranging for good to bad to evil (from insider stock trading
to actively looking for ways to exploit the bug for competition spying).

While all this is going on, why would government not have known about this?
Wouldn't one of the government certification programs like NIST FEDRAMP
mandatorily require them to be notified of any vulnerabilities monthly?

And of course, all govt spy agencies would have surely known about this
vulnerability as early as July/August given the amount of cross-continent
communication that would have happened on this topic. And it's a whole another
matter if they used the exploit for any operational/tactical advantage for any
ongoing operations or as a backdoor installation for future operations, it's
anyone's guess. If they did do that, we cannot be surprised because that is
definitely their job. Thinking any other way is not part of the security
mindset. It's not the trust everyone kind of thinking that lead to discovery
of this vulnerability in the first place.

------
behringer
Intel wanted to protect their customers before the US attacked them.

------
mr_spothawk
Didn't a Google researcher identify the flaw in the first case? If Alphabet
(aka, public-NSA) didn't clue in the gov, I'd be incredibly surprised.

------
williamscales
I would be very surprised if the NSA did not already know about these
vulnerabilities. It's unfortunate that we can't count on the NSA doing the
responsible thing for national security (which would be to notify Intel). But
if these bugs were found by several independent researchers this year, it's
hard for me to believe that the NSA didn't already find them. If they didn't,
they are falling down on the job.

~~~
appstateguy
There's been a brain drain [0] going on at the NSA, so it wouldn't surprise me
if they missed it.

[0] [https://www.washingtonpost.com/world/national-
security/the-n...](https://www.washingtonpost.com/world/national-security/the-
nsas-top-talent-is-leaving-because-of-low-pay-and-battered-
morale/2018/01/02/ff19f0c6-ec04-11e7-9f92-10a2203f6c8d_story.html)

~~~
dgoldstein0
Sure, but these flaws aren't particularly new - specter has been possible in
some form likely for the last 20 years.

------
boyinschool
With China being a much larger consumer than the U.S.[0], it is a logical
decision to warn those first who would have a larger loss than others.
Ultimately, by preventing China from gaining vulnerabilities, we in turn will
help the U.S. in a greater sense by hopefully achieving a >95% protection rate
on chips.

"In 2012, China consumed 33% of the world’s integrated circuits (i.e.
microchips) while the US consumed only 13.5%"

[0][https://qz.com/72542/china-just-surpassed-the-us-in-
semicond...](https://qz.com/72542/china-just-surpassed-the-us-in-
semiconductor-manufacturing-and-the-trend-is-likely-to-accelerate/)

------
lawl
The HN policy of allowing paywalls with a bypass should really be changed to
allowing links to the bypass:
[https://l.facebook.com/l.php?u=https://www.wsj.com/articles/...](https://l.facebook.com/l.php?u=https://www.wsj.com/articles/intel-
warned-chinese-companies-of-chip-flaws-before-u-s-government-1517157430)

~~~
Pyxl101
A simpler version of the same link is to replace "wsj.com" with "fullwsj.com".

------
jwilk
Paywall-free archived copy:

[https://archive.is/stHQc](https://archive.is/stHQc)

------
averagewall
Surely no vulnerabilities should be disclosed to the US government earlier
than the public because it does abuse them to hack people's computers, and it
doesn't make its own systems that would need protecting any more than private
companies do. It's like giving a hacker group advanced notification.

Imagine the roles being reversed. Would we care if a Chinese chip maker
notified Google before the Chinese government? I'm sure nobody on HN would be
complaining. That makes it look like naive American-centrism.

~~~
electrograv
Of course we wouldn’t think negatively of being told first; that’s the whole
point.

Assuming you were trying to make a juxtaposition though experiment — what you
should be asking is “Would China’s people care if a Chinese chip maker
notified the US government first of vulnerabilities in their hardware?”

~~~
sanxiyn
Intel notified Lenovo. Intel didn't notify the Chinese government.

------
chx
So Intel knowingly ships faulty chips which smells of fraud and reveals a
weakness in all of USA computers to another country which is known to employ
cybercriminals ... how on earth do they get away scot free? No criminal
charges?

~~~
netsharc
So, the people employed by the NSA who hacks other nations' computers and
networks... are they cyber-criminals too?

I suppose in the eyes of these governments, they are.

I wonder if Intel just did it over the unsecured line, knowing that the
NSA/FBI wiretaps that one...

~~~
robocat
> So, the people employed by the NSA who hacks other nations' computers and
> networks... are they cyber-criminals too?

In the reverse direction, the US has tried to sentence Chinese military
members - [https://www.usnews.com/news/articles/2014/05/19/chinese-
mili...](https://www.usnews.com/news/articles/2014/05/19/chinese-military-
members-face-us-hacking-economic-espionage-charges)

