Hacker News new | past | comments | ask | show | jobs | submit login

Apparently Intel attempted to play down the issue by trying to award the researchers with the 40,000 dollar tier reward and a separate 80,000 dollar reward as a "gift" (which the researchers kindly denied) instead of the maximum 100,000 reward for finding a critical vulnerability.

Intel was also planning to wait for at least another 6 months before bringing this to light if it wasn't for the researchers threatening to release the details in May.

Source in the dutch interview: https://www.nrc.nl/nieuws/2019/05/14/hackers-mikken-op-het-i...






Intel has abused the responsible disclosure process for economic gain. Their Leadership was not interested in a repeat of the spectre and meltdown impact on their stock price and made the (most likely accurate) assessment, that recurring news of intel vulnerabilities would harm their stock more than delay and cumulated release. As a result Academic Researchers were denied some of the credit they would otherwise have rightfully earned, because their individual contributions are buried in a sea of similar publications. Research efforts were thus needlessly duplicated. Research which could have formed the basis for subsequent research was unavailable and (publicly funded) researchers wasted time duplicating results. If two researchers discover the same vulnerabilities independently, there should be no embargo on disclosures because it has to be assumed with a high likelihood that third-parties might already be actively exploiting it. The public has to be warned, even if no effective mitigation is available. If for a subset of the vulnerabilities, AMD and ARM are not affected then security conscious users could have been reducing their exposure by utilizing competitors chips.

In this case the practice of responsible disclosure has been turned on its head. There should no longer be any responsible disclosure with Intel as long as they do not commit to changing their behavior.


> The public has to be warned, even if no effective mitigation is available. If for a subset of the vulnerabilities, AMD and ARM are not affected then security conscious users could have been reducing their exposure by utilizing competitors chips.

The way Intel has been handling these security issues, I am going to avoid buying Intel whenever possible moving forward, regardless of if they have slight performance or power gains over competitors. The way to speak negatively toward corporate governance in this case is to vote with my wallet.


It's worse than that. Some of these flaws have been known for over a year already. Many vendors with implementation details of the fixes have said "full mitigation may require disabling hyperthreading".

Wtf does that mean exactly? Do the patches and microcode work or do they not? I expect the truth to come out as OSS maintainers come out of embargo and others analyze the patches. But it sure looks like VM's on your favorite cloud provider will still be vulnerable in some ways because they're not turning off HT.

Wired has many details of your Dutch link in English. https://www.wired.com/story/intel-mds-attack-speculative-exe...

Intel pressuring vendors to not recommend disabling hyper threading? Apple has added the option to MacOs, so presumably the mitigations are not completely effective: https://www.theregister.co.uk/2019/05/14/intel_hyper_threadi...


That speaks volumes to the integrity of the researchers. Similarly, it speaks to a lack of the same @ Intel. Bribing for silence is not the way to deal with vulnerabilities. I’m glad the researchers are getting some recognition.

> Intel was also planning to wait for at least another 6 months before bringing this to light

Of course, until the legally agreed date when they can dump shares so there’s no obvious proof that it’s insider trading. Isn’t that what (then) Intel CEO Brian Krzanich did after Meltdown/Spectre?


Not sure why down voted, this sounds like the most logical reason

Because they’d eventually have to disclose when the vulnerability was discovered and that’d be extremely obvious what they’re doing?

It might be obvious, but that's exactly what Brian Krzanich did in 2017. He didn't get in any actual trouble for it even though the timing smelled blatantly like insider trading.

Is it obvious if they have an existing plan to sell shares and are simply waiting for it to trigger? They can reasonably claim they took this action to protect consumers until they had a better fix

Executives are allowed to sell at pre-agreed dates. If they do it on those dates then there’s nothing to prove, they just postpone the disclosure under any reason. Doesn’t make it smell less like insider trading, you just can’t prove it.

I don’t think he did. He got out and had a prior years notice. Then he made a comment about not losing over 20 percent datacenter to amd. Dude definitely seen what was coming

Seemed to work out okay for the Equifax executives who sold stock before they publicly disclosed they had been breached.

No. CPU vulns don’t affect Intel’s stock price.

History would appear to prove you wrong[1]. Yes, Intel's stock price rebounded that doesn't change that their stock price changed when the vulnerability became public.

[1]: https://qz.com/1171391/the-intel-intc-meltdown-bug-is-hittin...


Yes. Gamers like Intel because it's faster. Benchmarks are clear. :P

You have to admire the complex complicity. Someone smart enough to understand the depths of the problem had to guide that conversation

Or just someone paranoid enough that this would be their standard response if they poll the researchers and one of them says "this could be New York Times big"



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: