NSA Denies Prior Knowledge Of Meltdown, Spectre Exploits; Claims It Would 'Never' Harm Companies By Withholding Vulns
from the lol-ok-then dept
News surfaced late last week indicating everything about computing is fucked. Two critical flaws with zero perfect fixes -- affecting millions of processors -- were exposed by security researchers. Patches have been deployed and more are on their way, but even the best fixes seem to guarantee a noticeable slowdown in processing speed.
The government has stepped up to say that, for once, it's not involved in making computing less safe.
Current and former U.S. officials... said the NSA did not know about or use Meltdown or Spectre to enable electronic surveillance on targets overseas. The agency often uses computer flaws to break into targeted machines, but it also has a mandate to warn companies about particularly dangerous or widespread flaws so that they can be fixed.
Rob Joyce, White House cybersecurity coordinator, said, “NSA did not know about the flaw, has not exploited it and certainly the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability.”
The veracity of this statement is largely dependent on the credibility attributed to the person making it. While it is conceivable the NSA did not know about the flaw (leading to it being unable to exploit it), it's laughable to assert the NSA wouldn't "put a major company in a position of risk" by withholding details on an exploit. We only have the entire history of the NSA's use of exploits/vulnerabilities and its hesitant compliance with the Vulnerability Equities Process to serve as a counterargument.
The NSA has left major companies in vulnerable positions, often for years -- something exposed in the very recent past when an employee/contractor left the NSA in a vulnerable position by leaving TAO tools out in the open. The Shadow Brokers have been flogging NSA exploits for months and recent worldwide malware/ransomware attacks are tied to exploits the agency never informed major players like Microsoft about until the code was already out in the open.
These recently-discovered exploits may be the ones that got away -- ones the NSA never uncovered and never used. But this statement portrays the NSA as an honest broker, which it isn't. If the NSA had access to these exploits, it most certainly would have used them before informing affected companies. That's just how this works. As long as exploits are returning intel otherwise inaccessible, the NSA will use the exploits for as long as possible before disclosing this info to US companies. The agency has historically shown little concern about collateral damage and I don't believe putting someone new in charge of the VEP is going to make that much of a difference in the future.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: meltdown, nsa, rob joyce, spectre, vep, vulnerabilities, vulnerabilities equities process
Companies: intel
Reader Comments
Subscribe: RSS
View by: Time | Thread
Fox denies knowledge of huge hole in the fence. Claims it would never harm chickens.
I think a fellow reader summarized it quite well:
He who permits himself to tell a lie once, finds it much easier to do it a second and third time, till at length it becomes habitual; he tells lies without attending to it, and truth without the world’s believing him. This falsehood of the tongue leads to that of the heart, and in time depraves all its good dispositions. - Thomas Jefferson
Source comment
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
scorpion asks the frog to carry him across on its back. The
frog asks, "How do I know you won't sting me?" The scorpion
says, "Because if I do, I will die too."
The frog is satisfied, and they set out, but in midstream,
the scorpion stings the frog. The frog feels the onset of
paralysis and starts to sink, knowing they both will drown,
but has just enough time to gasp "Why?"
Replies the scorpion: "It's my nature..."
[ link to this | view in chronology ]
"It's my nature..."
A wave of outrage in the frog communities over Scorpion-Rivergate turns into a frog cultural movement towards authoritarianism and nationalism. Scorpions in frog nations are rounded up into concentration camps and put to work. Soon all arachnids are classified as scorpions de facto and interned.
Frog Supreme Directorship (FSD) publishes a list of under-frogs, persons within frog society or interact with frogs who are either too meek or too dangerous to be tolerated. A bounty is offered to identify underfrogs so they can be be captured and interned. Non-amphians are quickly classified as underfrogs causing a refugee crisis of tens of thousands on the shores of Morocco.
Soon disabled frogs, frogs with deviant predilections, purple frogs, countercultural frogs, communist frogs, snake sympathizers and state dissenters are counted as underfrogs and rounded up. Supreme Frog announces a New World Order in which Frog Society will prevail and rule over all species for a thousand years.
Soon, the fifty Frogmacht armor divisions mobilize on the first day of the Great Eastward Frog Offensive to secure Europe and Asia.
Meanwhile The Secret Frog Administration (SFA) contends with the rising overpopulation of its workcamps and ghettos. Under the new budget, the Frog state can no longer afford to feed and maintain the camps, and a more permanent solution to underfrog redundancy must be found.
...or maybe I'm reading too much into the parable.
[ link to this | view in chronology ]
Re: "It's my nature..."
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The whistleblowers are just bringing those reasons to light.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
However domestically, no comment.
[ link to this | view in chronology ]
Re:
Also no comment on untargeted dragnet surveillance.
From the post:
It also depends on how much they know. The oversight bodies were surprised by some of the stuff NSA were doing, so why not this guy?
[ link to this | view in chronology ]
Well, given how the NSA mangles language...
Except for the parts where every word in their statement means something completely different from what the rest of the world thinks it does.
[ link to this | view in chronology ]
but...
[ link to this | view in chronology ]
can't we all just - just get along
Also: high frame rates and high graphic fidelity are not necessarily mutually exclusive. Just give gamers the option to choose between the two with a check box or slider or something:
-click this box for 60 fps gameplay with medium graphics
-click this box for high graphics with slower than 60 fps
Some might ask "why can't there be a 3rd box -click this box for 60 fps with high graphics"? Well, that 3rd box could exist, but the price of the console would then be prohibitive.
Just thinking out loud...
[ link to this | view in chronology ]
Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: Re: can't we all just - just get along
Real gamers understand that what this person says is the dumbest thing ever. While multiple console exclusives can be annoying, it is great for competition and forces Microsoft and Sony to constantly compete and try to outdo each other. It's one of the things that has led to the booming and vibrant game market today. A collaboration would be horrifying.
Also, @OP, that third box you want? It's called a PC and it's not cost prohibitive.
[ link to this | view in chronology ]
Re: Re: Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: Re: Re: Re: can't we all just - just get along
I agree, the OP was very off-topic. The way you worded your response, "you gamers", led me to believe you were referring to all gamers, not just this one particular poster. Sorry for the misunderstanding.
[ link to this | view in chronology ]
Re: Re: Re: Re: can't we all just - just get along
We already know the NSA, Spectre, and Meltdown exist. A new superconsole though? That would be news.
[ link to this | view in chronology ]
Re: Re: Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: Re: Re: Re: can't we all just - just get along
They last longer and are upgrade-able. Consoles die a lot and youare beholden to a MFG for your shit. Take nintendo and all the people that lost games becuase they were bound to their consoles or when a MFG wipes your game saves out when fixing your shit.
Console buyers deserve the miseries they get!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: can't we all just - just get along
When I grow up, I'm gonna make a high end PC, capable of whateverK HDR gameplay at over 60fps, that also has a dock for it's included portable (4K HDR >60fps) gameplay device. A PC/Switch combo.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: can't we all just - just get along
#calledit
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: can't we all just - just get along
I play on a 65 inch Samsung QLED that has about 21ms of delay. My human reaction time is around 100~200 ms, but add that to the delay from my TV and I am instantly 10~21% slower just because my TV has 21ms worth of input lag, it really adds up.
I have had situations where I had an older TV that I played on and my friends would mow me down constantly. With my new lower Lag TV I actually am able to win slightly more than 1/2 the time. The difference is noticeable.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: Re: Re: Re: can't we all just - just get along
As for the cost of a graphics card for a gaming PC, you don't need anywhere near an Nvidia TITAN to game on high settings. The TITAN is overkill for 99% of all games. If you watch sales and prices you can EASILY pick up a pre-made gaming desktop or laptop for sub-$1000. No it won't be a screaming machine but it will play all games at better than medium graphics without dipping below 60 fps.
If you, for some reason, just can't find a decently priced pre-built system to your liking, you can always buy the components yourself and build a custom rig.
WinXP mode on 7 was and is a joke. That was a piece of junk that barely worked. There is FAR better emulation software out there.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: can't we all just - just get along
I make more than enough money to easily afford every console made. I do have an Nvidia 1080 water cooled and could afford either of the Titan cards too, but its a waste of money to go that high, hell the 1080 is a waste of money but bragging rights I guess.
Gaming is a passion so much that I have been learning Unity 3d to see if I can make my own game as an indie and make a living there. But I will never buy another console because I hate the monopolies.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: can't we all just - just get along
No, sorry if I was unclear. It doesn't have anything to do whether he is a true gamer or not. All I meant was that if it was truly that important to him to have every console exclusive, then he should have no trouble finding ways to earn/save enough money to buy them.
[ link to this | view in chronology ]
Re: Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: Re: Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: Re: Re: Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: Re: Re: Re: can't we all just - just get along
https://arstechnica.com/gadgets/2018/01/dells-xps-15-gets-the-2-in-1-treatment-plus-radeon-rx-ve ga-graphics/
[ link to this | view in chronology ]
Re: can't we all just - just get along
Exclusive titles are not a problem for Sony and MS. They pay developers to make stuff exclusive to their platforms.
[ link to this | view in chronology ]
Re: can't we all just - just get along
(Do I really need to explain that?)
[ link to this | view in chronology ]
Re: Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: Re: Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: can't we all just - just get along
consoles need to die, everyone needs to just join the PC master race and not because I am a fan boi. But because we need to stop letting these fucking gaming companies develop monopolies. If I could play games with PC/XBOX/PS/Nin players then I would not give a fuck, but I am sick of the monopolies.
If you bought a gaming console then you are directly funding the problem.
[ link to this | view in chronology ]
Re: Re: can't we all just - just get along
The fact that they don't have cross-platform multiplayer doesn't make them monopolies. And if you want to really complain about that, blame Sony. Microsoft is really opening up to cross-platform and so is Nintendo (not their first party games but many third party ones).
If you're upset because you have a different platform than your friends, then that's not really the console makers' fault. Go get a different console or become a PC gamer if all your friends game on PC.
Do changes need to be made in the console world? Yes, but they themselves aren't inherently a problem or bad. I've owned most major consoles up to the Xbox 360 and been perfectly happy.to play.
[ link to this | view in chronology ]
Re: Re: can't we all just - just get along
[ link to this | view in chronology ]
Re: Re: Re: can't we all just - just get along
I don't know how common that type of exclusivity is nowadays, but at one point in my awareness of the gaming industry, the impression was that it was nearly standard.
[ link to this | view in chronology ]
Re: Re: Re: Re: can't we all just - just get along
Independent big name games like CoD and Battlefront are multi-platform because they get better sales the more platforms they are on. Whereas first party titles made by the console maker give people a reason to buy their specific console.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: can't we all just - just get along
There's a considerable difference between "We're going to release this for our own platform and nothing else, because we want to" and either / both of "If you release this for any platforms other than ours, we'll penalize you" or "If you release this for only our platform, we'll reward you".
[ link to this | view in chronology ]
The flaw in the tlb
IBM researched it and that is why OS/390 running on X86 doesn't suffer from the flaw.
This isn't an NSA problem, this is a problem with the tech companies who buried the heads in the sand.
[ link to this | view in chronology ]
Re: The flaw in the tlb
[ link to this | view in chronology ]
Re: Re: The flaw in the tlb
[ link to this | view in chronology ]
Old news?
And he called this whole mess 11 years ago!
https://marc.info/?l=openbsd-misc&m=118296441702631&w=2
As a result, OpenBSD required NO patches for this issue. The workarounds have been in the code since this issue was spotted by Theo. 11 years ago. The information was there. But no one listened.
[ link to this | view in chronology ]
Re: Old news?
OpenBSD isn't perfect, of course. Nothing is. But it's so far ahead of everything else that there's really no debate to be had. And the biggest reason why it's so is that Theo wants it that way. Kudos to him.
[ link to this | view in chronology ]
*Why* didn't they know?
Cache attacks, and side channels in general, have been all the rage over the past year or two. And particularly after Rowhammer, researchers made good progress in reverse-engineering CPU cache behavior in detail. E.g., "On 27 March 2017 researchers at Austria's Graz University of Technology developed a proof-of-concept that can grab RSA keys from SGX enclaves running on the same system within five minutes by using certain CPU instructions in lieu of a fine-grained timer to exploit cache DRAM side-channels." Or see how a researcher got really close to finding it last August; or how quickly people started looking in the right areas once they got suspicous of those Linux patches, and figured it out from AMD's statement.
If the NSA didn't know, it reflects poorly on their capabilities. It was obvious to everyone that this was a fruitful research area, and most researchers are using imprecise and slow black-box reverse-engineering methods. With the NSA's resources, they should already have figured out in detail how the CPU's caches and speculative executors work—the government computers they're supposed to defend (and attack) are depending on it after all. Based on research trends they should've had a team looking for stuff like this by 2016 at the latest; and it shouldn't have taken them more than a few months to find these exact bugs.
Crypto researchers used to say the NSA was a decade ahead of the public. Whether they knew of Meltdown or not, they certainly don't seem that far ahead anymore.
[ link to this | view in chronology ]
Re: *Why* didn't they know?
Disinformation works best
[ link to this | view in chronology ]
what about MINIX
First Apple is throttling crap, now this Intel mess. Next they're gonna be telling us that Santa Clause isn't real.
If it's man built, it's not perfect, because man is not perfect.
[ link to this | view in chronology ]
Re: what about MINIX
As is the licensing of Minix.
[ link to this | view in chronology ]
Re: Re: what about MINIX
Not entirely separate: MINIX is likely affected by this problem too. (Apparently the CPU's built-in copy of MINIX runs on a tiny 486-class CPU which isn't vulnerable. But MINIX running as the main OS would be.)
[ link to this | view in chronology ]
would never put a major company like Intel in a position of risk
In other words: Already did. ALL major companies and everyone else IN THE WHOLE WORLD. For three years.
[ link to this | view in chronology ]
how about
https://www.reuters.com/article/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331
https://www.theve rge.com/2013/12/20/5231006/nsa-paid-10-million-for-a-back-door-into-rsa-encryption-according-to
Not only would the NSA absolutely and GLEEFULLY abuse vulnerability they will PAY companies to put them into their products intentionally!
[ link to this | view in chronology ]
The NSA has an interesting relationship with "knowing"
Clapper: "Not knowingly."
Translation: NSA doesn't need meltdown/spectre, because it already owns the Intel Management Engine and "Trusted" Execution Engine.
[ link to this | view in chronology ]
I fixed it for you
Should be:
> affecting billions of processors
Cue the Dr Evil impressions now.
[ link to this | view in chronology ]
Heinlein On Lying
[ link to this | view in chronology ]
If They Didn’t Know ...
The NSA might as well be shut down.
[ link to this | view in chronology ]
not smart enough for the lying game
[ link to this | view in chronology ]
[ link to this | view in chronology ]
In Other News ...
... Bruce Schneier is predicting that, now that security researchers are taking an interest in microprocessors, more such unpleasant discoveries are likely to come.
[ link to this | view in chronology ]
Re: In Other News ...
Keeping an eye on RISC-V.
[ link to this | view in chronology ]
Re: Re: In Other News ...
That does look the most promising. There are a few others:
I'll be interested in playing with these open CPU projects once the general FPGA-development clusterfuck (i.e. the requirement for proprietary tooling) is resolved. There's Project IceStorm but it supports fairly weak FPGAs only.
[ link to this | view in chronology ]
Re: In Other News ...
Not much of a prediction, really: "Though Intel was indeed working on a fix, the Graz team wasn't the first to tell the chip giant about the [Meltdown] vulnerability. In fact, two other research teams had beaten them to it. Counting another, related technique that would come to be known as Spectre, Intel told the researchers they were actually the fourth to report the new class of attack, all within a period of just months." (from Wired)
Look at the crazy history of multiple discovery too. It's (one reason) why patents are unfair, and delayed bug disclosure is dangerous.
Someone posted a link to a decades-old CPU design book saying that obviously speculative fetching must be prevented from crossing privilege levels; and lots of links to old messages where people almost figured out the bug. Researchers have been pushing hard at these parts of the CPU for the last couple of years in particular. Hell, I don't know much about it, and when I saw that AMD message I looked at Intel's optimization guide and thought the BTB stood out (involved in prediction, has a fair bit of state, and severely underdocumented).
[ link to this | view in chronology ]