16 comments

[ 2.9 ms ] story [ 42.1 ms ] thread
> While trying to get a solution to address this vulnerability as fast as possible, we faced communication issues with Intel which was deliberately restricting & filtering the information about the bug.

and

> According to the latest update from Intel, a microcode is required to completely fix the bug. The microcode release date is, at this time, scheduled for an undisclosed confidential unacceptable late date

seems like intel is not much help.

They also mention that they were made aware of the issue only a few days ago, probably like us on HN.

Are smaller actors left behind?

Probably. Smaller actors are less known quantities. Intel probably wanted to control the leak as long as possible.
This is France's first or second largest ISP, and they are also absolute datacentre owners (incl land).

https://en.wikipedia.org/wiki/Iliad_SA

Not quite a smaller actor.

I know who they are, yeah. The folks getting talked-to are AWS, Apple, Google, Microsoft, VMWare--heavy hitters with the technical acumen to enact changes and provide useful, actionable feedback immediately. But, on top of that, the folks who've tipped that they've known about it are folks who are known for being good, cooperative partners in security matters--maybe Scaleway is too, but I can understand Intel restricting the conversation to the Big Ones who they already trust.
There is a spectrum between letting everyone in on the embargo and keeping things under wraps. Given it took months for the key players to produce fixes (which Scaleway and everyone else can use), and things were already leaking before the embargo ended, it's hard to say they made the wrong tradeoff.
From what I've been reading, none of the BSDs were notified.
The FreeBSD people were notified a week or so ago.

* https://www.freebsd.org/news/newsflash.html#event20180104:01

The Ubuntu people also got that same notification it appears, but were also secretly told by Intel in November 2017.

* https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAn... (https://news.ycombinator.com/item?id=16071769)

People are claiming that the OpenBSD people knew years ago, but what Theo de Raadt was discussing then was a list of published errata for the Core Duo. The bugs that are in the news right now were never published errata. I suspect that the OpenBSD people found out about them at the same time that the world at large did.

* https://marc.info/?l=openbsd-misc&m=118296441702631&w=2

Seems like it. And not just the smaller companies:

DigitalOCean appear out of the loop and they're fairly sizeable[

OVH appear to have received no advanced notice (if you read between the lines of their post)

Cloudflare has been silent and they usually love being at the front of this stuff. They'll also probably take a nasty hit from these mitigation's too with their incredibly heavy network load, so they might all be out buying hardware.

That said, you've got to draw the line somewhere, AWS is truly huge and a key Intel customer, Google is one of Intel's biggest buyers and their researcher independently discovered it, Microsoft equally a massive Intel customer.

Overall I'd say Intel tried to keep it to an absolute minimum which is fair enough really. Had the news not broken early it's probable that patch notifications would have gone out once fully developed to all of these 'smaller' companies.

Our plan is to talk about this when we have full data. Right now looks like we aren't taking much of a hit at all.
Excellent. I enjoy reading your write ups/insight so it'll be very interesting to see what you have to say.
Online/Scaleway also build their own servers and were impacted by the Atom bugs/issues where Intel were apparently hard to work with. There's reason for the resentment.
I misread this as Safeway, and was really surprised for a minute.
(comment deleted)