> While trying to get a solution to address this vulnerability as fast as possible, we faced communication issues with Intel which was deliberately restricting & filtering the information about the bug.
and
> According to the latest update from Intel, a microcode is required to completely fix the bug. The microcode release date is, at this time, scheduled for an undisclosed confidential unacceptable late date
I know who they are, yeah. The folks getting talked-to are AWS, Apple, Google, Microsoft, VMWare--heavy hitters with the technical acumen to enact changes and provide useful, actionable feedback immediately. But, on top of that, the folks who've tipped that they've known about it are folks who are known for being good, cooperative partners in security matters--maybe Scaleway is too, but I can understand Intel restricting the conversation to the Big Ones who they already trust.
There is a spectrum between letting everyone in on the embargo and keeping things under wraps. Given it took months for the key players to produce fixes (which Scaleway and everyone else can use), and things were already leaking before the embargo ended, it's hard to say they made the wrong tradeoff.
People are claiming that the OpenBSD people knew years ago, but what Theo de Raadt was discussing then was a list of published errata for the Core Duo. The bugs that are in the news right now were never published errata. I suspect that the OpenBSD people found out about them at the same time that the world at large did.
Seems like it. And not just the smaller companies:
DigitalOCean appear out of the loop and they're fairly sizeable[
OVH appear to have received no advanced notice (if you read between the lines of their post)
Cloudflare has been silent and they usually love being at the front of this stuff. They'll also probably take a nasty hit from these mitigation's too with their incredibly heavy network load, so they might all be out buying hardware.
That said, you've got to draw the line somewhere, AWS is truly huge and a key Intel customer, Google is one of Intel's biggest buyers and their researcher independently discovered it, Microsoft equally a massive Intel customer.
Overall I'd say Intel tried to keep it to an absolute minimum which is fair enough really. Had the news not broken early it's probable that patch notifications would have gone out once fully developed to all of these 'smaller' companies.
Online/Scaleway also build their own servers and were impacted by the Atom bugs/issues where Intel were apparently hard to work with. There's reason for the resentment.
16 comments
[ 2.9 ms ] story [ 42.1 ms ] threadand
> According to the latest update from Intel, a microcode is required to completely fix the bug. The microcode release date is, at this time, scheduled for an undisclosed confidential unacceptable late date
seems like intel is not much help.
Are smaller actors left behind?
https://en.wikipedia.org/wiki/Iliad_SA
Not quite a smaller actor.
* https://www.freebsd.org/news/newsflash.html#event20180104:01
The Ubuntu people also got that same notification it appears, but were also secretly told by Intel in November 2017.
* https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAn... (https://news.ycombinator.com/item?id=16071769)
People are claiming that the OpenBSD people knew years ago, but what Theo de Raadt was discussing then was a list of published errata for the Core Duo. The bugs that are in the news right now were never published errata. I suspect that the OpenBSD people found out about them at the same time that the world at large did.
* https://marc.info/?l=openbsd-misc&m=118296441702631&w=2
* https://marc.info/?l=openbsd-tech&m=151521435721902&w=2
DigitalOCean appear out of the loop and they're fairly sizeable[
OVH appear to have received no advanced notice (if you read between the lines of their post)
Cloudflare has been silent and they usually love being at the front of this stuff. They'll also probably take a nasty hit from these mitigation's too with their incredibly heavy network load, so they might all be out buying hardware.
That said, you've got to draw the line somewhere, AWS is truly huge and a key Intel customer, Google is one of Intel's biggest buyers and their researcher independently discovered it, Microsoft equally a massive Intel customer.
Overall I'd say Intel tried to keep it to an absolute minimum which is fair enough really. Had the news not broken early it's probable that patch notifications would have gone out once fully developed to all of these 'smaller' companies.