Hacker News new | comments | show | ask | jobs | submit login
Intel was aware of the chip vulnerability when its CEO sold off company stock (businessinsider.com)
468 points by MollyR 10 months ago | hide | past | web | favorite | 85 comments

Google discloses the vulnerability to Intel in June. On October 26th, Intel files its quarterly numbers and makes no mention of Project Zero or the word "vulnerability" and fails, in Item 1A, to disclose any new risk factors [1]. On October 30th, Krzanich puts in trading instructions [2]. On November 29th, the trades occur; on December 1st, their confirmations are disclosed [2].

I'm not an expert on the sale of stock in public companies by insiders. But implementing sale instructions after finding a material risk factor and a filing that fails to reveal it looks shady.

(I continue to default to the assumption of sloppiness over bad intent, though even that is harshly punishable, albeit with fines versus jail time.)

[1] https://www.sec.gov/Archives/edgar/data/50863/00000508631700...

[2] https://www.sec.gov/Archives/edgar/data/50863/00011276021703... Explanation 1

How is it different from other sells Krzanich has done earlier? It seems that he has been selling/disposing off his shares on a regular basis after each option execution:





The only difference in this case is the trade size. Huge grant was vested and sold:


This might be related to his employment terms.

Because in addition to selling of his option shares he also told off all if the other shares he has been holding down to the minimum (250k shares) that he is required to hold as CEO based on the Intel governance documents.

In November he sold as much stock as he legally could in his position, not just the amount he optioned.

The holding requirements are contractual, not criminal - there's no law requiring him to hold stock.

The minimum he's required to hold is still more than $10M tied up in a single stock. Wanting to diversify one's assets past that level is understandable.

You missed the point, it implies criminal if he sold down differently this time. The contractual details are only important in so far as they dictate his behavior.

it shows the concerned trade is not a part of the regular trades, the portion sold in that batch was significantly different to the extent that he couldn't sell any more when also retaining is position in Intel. In short, he used inside information to minimise his exposure to the risks.

that is criminal.

Undisclosed material information.

If you know a risk factor that hasn't been disclosed to investors you shouldn't be able to just point to your pattern of behavior.

(And if he doesn't want equity risk, he should arrange for other compensation...)

They should have filed an 8-k form, the typical SEC disclosure form for any materially significant event that cannot wait until a quarterly statement.


“Waiting until the next quarter” is exactly what Equifax did regarding patching.

Intel’s CEO is both guilty of corporate malpractice and willful blindness. The latter term is currently undergoing a renaissance in legal academia and will send many people to jail in the future.

If the vulnerability was embargoed until 1/1/18, does Intel have the right to reference it in a quarterly financial document before then?

> If the vulnerability was embargoed until 1/1/18, does Intel have the right to reference it in a quarterly financial document before then?

The embargoes are little more than gentleman agreements and I'm not aware of _anyone_ successfully suing for their violation. Google, for instance, technically violated the agreement by disclosing before 1/9/2018. Their lawyers would have advised on any legal risk doing so had.

In comparison, Intel management is required to disclose risk factors (such as a massive f'n vulnerability) that might materially affect the stock price or risk being gone after for insider trading if they sell within the window of them acquiring the knowledge and the public disclosure.

You don't get to refuse to disclose a major risk factor, announce a sale, and sell, then announce the problem once you have unloaded all your shares. That is basically the definition of insider trading.

Right? No. Duty? Yes. They need not descibe details but can say: "big secret problem, working on it. Mitigations will be ready before public disclosure. Stock at risk should we not be ready in time."

Who knows, maybe congress will pass a law, and with that all the security issues will be fixed, like everything surrounding equifax.

Might be too soon for BTFD, but call options anyone?

The CEO, by virtue of being the CEO, can always be accused of insider trading.

> The CEO, by virtue of being the CEO, can always be accused of insider trading

The proper way to do this involves: (a) timing instructions alongside public filings and (b) having a long gap--the longer the better--between instructions being submitted and trades being executed.

Disclaimer: I am not a lawyer. This is not legal nor any other kind of advice. Consult with a lawyer before selling or buying shares as an insider.

Given the news did not seriously affect the price of the stock (3-4% is a little more than typical volatility, but not much), it seems like his defense would be very simple. "I did not consider this to be material non-public information, and indeed, it has turned out as I expected." In fact, he'd have been better off to wait until after the disclosure to sell based on the current price (45.3) and the price when he sold (44.8).

That’s a very premature read. The market is still digesting this news.

I agree, this is very premature, we don't have all the information yet. I purchased an i9 in december, because I cared about the performance, not the price, and had I known the little information we have now, I would have switched to AMD (I even hesitated to do so at the time).

I am still able to send back my i9 to amazon, until end of january, and as I am in europe, I also have a 2-year guarantee against faulty or non-conform goods. Not sure if it can apply, but as of today nobody can tell what kind of action we can take against this (I understand the intel claims this is not a bug, but others may beg to differ).

Also, besides any legalities, I am now an angry customer and would probably not buy intel anymore after this.

I think for something this big, the foreseeable effects would be priced in by now. But, I'm no finance expert. I could be wrong.

I don't the the impacts have really begun to be felt yet. We're already anticipating over 20% based upon our current AWS findings (as others have pointed out their dilemmas as well). If i'm a larger company looking at a sudden increase of 20-30% for operations, i'm going to have a pretty strong response. I would imagine it takes upwards of 1 quarter before the Tech impact becomes a Business cost impact.

based on AWS findings we should expect the stock to be up, not down: after software mitigation everyone will need more horsepower to run the same load, and guess where they would buy new chips? (given that updating infrastructure to use AMD, let alone ARM, would cost more time and money than just suck it up).

Well, they may chose to spend more money on specialized chips they earlier have thought of as risky. But the whole risk considerations are now out of the window. You never got fired for buying from IBM and then Intel. Now Intel lost the magic touch and is just one among others. That will affect their pricing power big time - check out their pricing history over the past years and you notice some strong tendency for functional pricing which is an indication of near monopoly pricing power. Expect profits to dive.

> Well, they may chose to spend more money on specialized chips they earlier have thought of as risky. But the whole risk considerations are now out of the window. You never got fired for buying from IBM and then Intel. Now Intel lost the magic touch and is just one among others. That will affect their pricing power big time - check out their pricing history over the past years and you notice some strong tendency for functional pricing which is an indication of near monopoly pricing power. Expect profits to dive.

I expect a firesale in current and possibly next gen Intel processors. They have a healthy margin that should not exist. I want at least a 20% possibly 30% price cut across the board for all Intel processors.

Oh and I expect the CEO to go to prison for a long, long time. Anything that does not involve at least five years in prison sends a wrong message to board rooms everywhere.

You expect, or you want? These words often mean different things.

Your code may be, but I would think most code isn’t CPU bound nowadays. If so, that may lessen the impact on Intel quite a bit.

Or does this indirectly affect network and disk speed, too?

There are many foreseeable effects. Some of them will actually happen and others won't. Some of them are in direct contradiction with others. Some of them will result in a greater or lesser financial impact than expected. Beyond that there are unforeseen and unforeseeable impacts. Discounting all that, yes, I believe the market is reasonably efficient.

NVidia was growing for a year after Polaris release with nearly 50% performance jump. It still is growing.

My take is that Intel issues in the past have not affected profitability, so it's unlikely that this one will.

When investors see that there are operating system fixes for it, and that those fixes apply to AMD and ARM processors, it doesn't seem like a big deal. It doesn't look like there's going to be a massive recall of it, and there are no issues going forward.

So, while it's technically a BFD, as of now, investors are not seeing how this negatively impacts Intel's ability to make money. Plus, Intel's PR team did a good job at damage control.

If anything, it makes newer chips even more compelling.

I don't understand why it didn't affect the stock price more. This is a big deal.

Because most people don't know what any of this means. To nearly everyone else it sounds like Intel was hacked. But so what? Nearly every company has been hacked in the last three years, so it just doesn't seem like such a big deal.

Obviously this is completely wrong but it's how the general public and walstreet will interpret it.

Because it won't change Intel's future value if buying decisions don't change. I don't expect people to shift away from Intel because of this so wouldn't expect revenues or income to drop. Unless they get hit with lawsuits (unlikely for a bug), this shouldn't affect their business too much.

It's difficult for me to imagine they won't get sued over this, and in a big way. Imagine if you're Amazon or Microsoft looking at a 30% reduction in salable CPU resources.

Plus a huge class action suit from consumers based on false advertising or some related claim.

Bugs happen. Their verification process was probably subpar but I'd be surprise if lawsuits were successful in this case. I'm not sure if they buy processors from Intel with a performance promise (benchmark values). If not, no promise has been broken with this.

I expect this is more of a positive for AMD than a negative for Intel. Perversely, this incentivizes people to get newer chips more quickly. If trust in Intel is not lost completely, and Intel puts out new chips that do not have this vulnerability, Intel could actually get more sales out of it.

If the new chips were going to have a 30% performance boost, now it looks like they will have a 50% performance boost. Much more compelling.

Because for every two people who panic and sell there is one who is waiting for the price to drop and buy. The same kinda happened with Equifax - went down from $140 to $90 then started climbing back up. Now is at $120 which is also where it was last year in January. So basically nothing changed for them in a year. They didn't get crushed and bankrupted like many were saying they would.

I remember at least people in /r/investing gloating how they made a good amount of money waiting for Equifax to drop and then bought it and sold it as it went back up. The same people are waiting for everyone to panic sell their INTC so they can buy it.

This may be a proper way when being a CEO but also not a good stock trading advise. Try to make any money even without insider knowledge following such a process.

(c) an actual rule against changing those timing instructions - including of course canceling them

This rule does not currently exist.

Except when you're Equifax?

One major counterpoint:

What would have happened if the AMD developer on the LKML hadn't said "AMD chips aren't affected by [one of the bugs]" before the big public post? The big headlines would have all been about "major class of speculative execution bugs that cause data exfiltration on ARM, AMD, and Intel hardware." Only one of the bugs is Intel-specific (admittedly, the worst one), but even the Project Zero blogpost points out that it mostly focused on attacking Haswell microarchitecture.

So while Intel does have some egg on its face, ARM and AMD aren't exactly out of the woods yet. Side-channel attacks as a result of speculative execution are sort of a well-known idea, but the main big news is that they are practical to exploit and exfiltrate data. I would not be surprised to see more exploits of this type affecting different hardware vendors come out over the next year. The reason why there's so much focus on Intel is because people trying to reverse-engineer the exploit found the message saying "AMD not affected" and didn't realize that AMD is affected by some of the bugs.

Quite likely, whatever internal announcements that would have filtered up to the CEO would have focussed on the fact that other vendors are seeing some impact from these bugs (if nothing else, professional ass-covering). So it's hard to see how the CEO would actually find this information out even internally.

Edit: to put it more succinctly, Intel appears to have been preparing for an announcement of "Major class of speculative execution vulnerabilities [with particular impact to Intel]." However, the way the announcement came out was "Apparent major bug... that's Intel-specific... oh, here's the details of this bug [with related bugs affecting everybody]." That doesn't scream insider trading to me.

For the question of insider trading, it's irrelevant whether other companies were affected by this bug.

As long as the information was not public (in this case presumably it was an embargoed secret under NDA), and that information is material (this information clearly is as Intel's stock is down about 3% today) then it's illegal to trade on that information.

Well, the question is whether one would expect that Intel would be particularly affected. If the message is "everyone is boned," then there's no reason to expect Intel's share price to fall. That the message ended up being "Intel is boned" doesn't mean that insiders expected that to be the message.

To clarify: it smells bad enough to be investigated... but I wouldn't vote to convict solely on the evidence presented.

You're muddying the waters.

> If the message is "everyone is boned," then there's no reason to expect Intel's share price to fall

That's a weak defense agains insider trading: the underlying (and incorrect) assumption is that share prices are 0-sum. It is possible - likely even - for the shares for all 3 to drop if it affects their businesses. It would still be insider trading regardless of who else on the market is affected.

> What would have happened if the AMD developer on the LKML hadn't said "AMD chips aren't affected by [one of the bugs]" before the big public post?

Why wouldn't they say it that way. It seems he was responding to a (justified) overreaction to mark all x86 chips vulnerable and so he pointed out explicitly that AMD wasn't. Why let his company get dragged down along with Intel unnecessary. So it is not like he jumped out on Twitter and broke "the embargo" with something like "Ha, ha, Intel is so screwed".

> the big headlines would have all been about "major class of speculative execution bugs

That's what Intel basically said in their PR response. But so far it seems the Intel (and maybe ARM) only bug (Meltdown) is far more serious than the Specter one. So even saying everyone is vulnerable would have been technically correct but a bit unfair toward AMD, wouldn't you say?

Interesting to compare the reactions in this thread from 1 day ago:

"Intel's CEO Just Sold a Lot of Stock"


New evidence (Google disclosed the vuln to Intel in 2017 June), means new behavior.

This looks really bad from a PR perspective. Huge performance effecting security vulnerability and their CEO might have traded on insider info, doesn't look good.

I hope their lawyers have been productive these last few months before this all went public.

The vulnerability aside, it looks bad in general when a CEO suddenly dumps all of his stock other than the required minimum.

Throw in Google disclosing the vulnerability to Intel in June, and it looks criminal.


Let's say this were a company that you're very sympathetic toward. Or not. In either case, couldn't it still be a honest bug (as in, an "honest mistake"). They should still take their responsibility, held responsible, in court if necessary, but let any one of us who is without bugs, throw the first stone? Or is Intel somehow special? I sincerely ask you.

Sure there can be honest mistakes, but what exactly is honest about dumping your shares knowing about the bug without disclosing it? Intel just flushed the last bit of credibility down the drain by this. I really hope AMD can profit long-term from this, we really need more players in this game.

defining "honest mistake" for a company is quite difficult compared to an individual.

However there are lots of anecdotes from insiders emerging that suggest negligence through substantial changes and cuts in verification that may well have been a primary factor.

By comparison, if spacex had a massive disaster that affected everyone and it was found that they cut their testing team in half to re-appropriate resources 5 years earlier would you still call it an "honest mistake"?

Intel was informed by others of the vulnerabilities.

Rather damning: "Krzanich's [Rule 10b5-1(c)] plan was created on October 30 and by Intel's own admission, the company learned of the chip vulnerability in June."

They'll probably nail him, but not the Equifax C-suite.

The laws around PII breaches due to carelessness are largely nonexistent in the US. Laws around insider trading have had more than a century to develop their pointy end.

I think `downrightmike was referencing the alleged insider trading at equifax around the PII breach, not the PII breach itself. Some top executives unloaded stock just before the breach was revealed. So you're both referring to insider trading laws.

Honestly the two situations seem very similar. One is a vulnerability leading to PII, the other leading to performance degradation. Both could have negative impact on stock price, and both had executives unloading stock just before their announcement.

Well that's a problem. PII breaches should have pointed ends as pointed, if not more, than insider trading.

That's really hard to do. PII breaches are virtually always by mistake (irrelevant if that mistake is negligence).

Insider trading is intentional.

You can't really legislate serious penalties for mistakes, and negligence is really really hard to prove.

Negligence is not "really really hard to prove".

In the US, negligence as a tort is a four-pronged test. In the case of Equifax, did they have a duty to protect your PII? Did they breach that duty? Was that breach the proximate cause of your PII being disclosed? Did that disclosure result in an injury?

The EU already has legislated serious penalties for data breaches, and AFAIK whether it was a "mistake" or negligence is irrelevant:


The US doesn't seem to have much appetite for this kind of regulation though.

It's worth distinguishing the US congress and executive branch from the US citizenry, in cases like this.

Very true. I'd be interested to know how this issue polls in the US, I haven't seen any data on that.

> You can't really legislate serious penalties for mistakes, and negligence is really really hard to prove.

You can legislate serious penalties for negligence, of which a great number of PII breaches would, IMHO, be candidates for.

Absolutely, and there needs to be a statutory value placed on PII so that the Equifaxes of the world will have to be insured, and insurers will perform due diligence.

Until then...

Material + non public = insider trading. Anything else is an excuse, not a defense. This should be an open-and-shut case.

> Material + non public = insider trading. Anything else is an excuse, not a defense

Except you're wrong. Material and non-public are not sufficient conditions for a trade to be considered insider. I know the name and common lore seems to imply it, but legally there's many other details attached.

There are details of how "material" and "non public" are defined, but those are the two criteria. Don't call people wrong when you have zero facts on your side.

A counter-example is enough to prove me right.

I could give you at least one counter-example, ie a real court case from 2017 where two specific entities secretly coordinated a trade for stock in one of them on material and non-public information and was determined legal. (Obviously it went to court because people like you abound, who believe that a complex matters like inside trading come down to "material" and "non-public".)

I'm not going to give you that example though, because I take issue with your arrogance, ie authoritatively claiming that someone has zero facts on their side when you have no idea what you're talking about :-)

Can you give an example?

One day CEO's will be held accountable for their companies actions.

What specific actions by intel are you proposing we should hold the CEO accountable for?

Failure to disclose material change in their past quarterly reports, failure to file a 8-k.

The stock seems to be doing fine. Overvalued even perhaps. A P/E of 42 when you have Nvidia hitting them on the high end, Apple and ARM hitting them on the low end, and AMD continuing to commoditize their offerings? I personally would not buy or hold at that price. I don't think there's anything illegal about selling the shares as soon as he executed on them, as he'll need to at least sell some to cover the tax liability, I think.

INTC only has a P/E Ratio of 15.86 https://www.google.com/search?q=NASDAQ:INTC&tbm=fin

Ah my mistake I must have misread.

> A P/E of 42

You're confusing Price and P/E.

Well, then I guess the CEO is going to prison, and someone at the SEC is going to make their career on this.

Don't know why you are being downvoted so much. That's actually what should happen. He probably will stay out of prison but there is no way they can keep him as CEO. This is a textbook example of insider trading from an CEO.

It looks like there will be a surge of purchases of new CPUs. He should have kept hold.

Serious question unrelated to the article. Why are half of these comments being flagged?

Nit: I don't see any that are flagged. There are some that are downvoted.

My mind-reading skills aren't what they used to be. Some of those downvoted are arguably off-topic or unsubstantive, both of which are frowned upon by HN members. Others, who knows. But then again, this is all speculation.

If nothing else, it sends a clear message of “I wouldn’t trust our product”.

looks like he made about 4% more than he should have. Pretty insignificant in the grand scheme of things.

Do we already have hints who's doing a power play here? I mean even the leak was a surprise to companies like Google as I see it. Is there someone who wants to become CEO at Intel or a bigger company that wants to become a majority stake holder?

Isn't this a case that describes the benefits of insider trading? Him being able to sell his stock in the company alerted everyone that something may be up.

What alerted people that something may be up were discussions on LWN and the patch commentaries in Linux kernel code commits.

* http://pythonsweetness.tumblr.com/post/169166980422/the-myst...

* https://news.ycombinator.com/item?id=16046636

I wonder if that many people actually care. It is a timing attack only AFAIK.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact