So since Intel have now confirmed that are unwilling to fix...
.....items faulty at time of sale then compensation/replacement with working item seems to be in order.
Intel has issued fresh "microcode revision guidance" that reveals it won’t address the Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it's too tricky to remove the Spectre v2 class of vulnerabilities. The new guidance, issued April 2, adds a “stopped” status to Intel’s “production …
Yep, exactly! And for those of us that kept those CPUs specifically because the ME could be disabled, Intel should need to either provide replacement ME-free CPUs or fund the full cost of replacing their broken CPU with something that is ME/PSP free and in a similar performance class.
Or, you know, just release their microcode signing keys and source, then let us have at fixing it....
Depends on the definition of faulty I suppose.
Car analogies are always a good bet on a downvote, but let's say a car maker were hauled over the coals for using glass in their windows. That glass can be smashed and used to gain access to the car and have a good rummage around the glove box.
Would the manufacturer be liable in the same way? After all, the window served its purpose just fine until someone decided to unearth the hidden weakness in it, much like these CPU bugs.
Still, common sense has no place in the US legal system.
It's a non-obvious vulnerability that comes about because of fundamental features of how the chips work.
So I'd say it's like suing a car company over carjackings, because they made cars that had to stop at traffic lights.
Another way to get a lot of down votes is to point out 2nd and 3rd order effects people don't want to hear.
Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees, and/or raise the cost of the next computer you purchase by a couple of hundred dollars.
As security professionals, you should all understand and identify risk management based decisions; and be intelligent enough to understand it. This is done by all corporations all the time. Including the one you work for.
Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees,
And?
and/or raise the cost of the next computer you purchase by a couple of hundred dollars.
You think that releasing a microcode update for each of the "wontfix" CPUs on the list (the ones they promised had fixes incoming) is going to add that much the cost of my next computer? How do you figure that?
The last computer I bought (Dec 2017) cost less than a couple hundred dollars as it was, but even if it was a high-end desktop instead of a Chromebook-spec Windows laptop (well, used to be a Windows laptop), that figure is still pretty ridiculous. Microcode updates are a regular part of development for a given CPU; mine have received several over the course of their lives, as OS updates.
You think issuing just one more microcode update for a CPU that has already had several over its lifetime is going to cost that much?
Also, why would Intel's difficulties have anything to do with the cost of an AMD system? 'Cause, fsck Intel if they're not going to stand behind their products OR keep their word.
"Sure, Intel can put a lot of resources into fixing 8+ year old chips, which are probably used by less than 3% of the market... but doing so will likely stop Intel from providing good raises or other benefits for its employees"
Yeah, right, this is just like how all the companies immediately gave their employees raises and created new jobs when the Trump tax cuts for the rich and corporations went through. It didn't happen. They did stock buy back instead.
Struggling for a good car analogy because most things that fail can be fixed/replaced with new or recycled parts.
However let us invent some metal fatigue problem which has a potential to cause a chassis failure in cars over 10 years old which could only be rectified by a new body shell.
How likely is it that the manufacturer would (as some commentards seem to be suggesting) provide a brand new body shell (from a non-existent production line right back to the steel maker) or failing that a brand new car?
Consumer law is unlikely to try and enforce this because the vehicle has lasted a reasonable time. Any compensation would probably be limited to the current trade in value (prior to the discovery of the fault).
So what is the street value of a mid specification Core 2 Duo (or quad) system? That is, processor, memory and motherboard?
If Intel really cared they might do a scrappage deal where if you handed in a motherboard, processor and memory then you would get say 50 UKP off a brand new configuration. Or hand in a complete laptop and get similar off a brand new one.
Restarting a production line for old chips with a different silicon density and different leg count so you can replace chips like for like - that is, several generations where the pin numbers and locations have been deliberately changed to force you to buy a new motherboard with a different socket - is obviously not feasible. What happens to old silicon foundries anyway, when the next generation of fabrication hardware is installed?
Free replacement isn't going to happen for reasons above (plus probably many others) and a scrappage scheme to get you to buy the latest i9 is in effect rewarding Intel for designing vulnerable processors.
If you bought a retail bixed CPU on its own, perhaps. I would bet money 99.999% of people however opted for the substantially cheaper OEM tray part and have no course of action at all, they waived that at time of purchase of the system builder part
Actually, most of the CPUs I've bought new from retailers have been the retail version - they're practically the same cost and come with a cooler that's guaranteed to work (if perhaps not to be the most effective option).
My latest CPUs were second hand, though, as buying new Xeons is more than a little expensive for a non business user..
My latest CPUs were second hand, though, as buying new Xeons is more than a little expensive for a non business user..
Actually, ALL my CPUs these days are second-hand, because I haven't bought a NEW computer in years (most are scavenged systems, or handoffs when MSWin "advanced" to the point they were unusable for the standard home user. They run Linux just fine).
"oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."
Ah good, so my i7-920 is covered then? Oh, wait... Bugger.
That should teach me buying a CPU from a reputable vendor such as Intel. 'cause AMD supposedly was much worse at this lark.
> Dammit, I still have i7-920's in use. Fortunately, not on the public interwebs though. And now I'd better make sure they never are.
Fuck. Just checked, and my main gaming rig is on the list too. It's an Intel Core2 Extreme X9650. It does absolutely fine for the stuff I use, and there's no damn way it's "too slow", etc.
Intel, you'd better think again. You screw this up, it's on you to fix it.
The odds of Spectre causing a major security problem for a gaming rig are probably low. A far more likely scenario is an accidental backdoor in one of the games you play, or an intentional backdoor in a sketchy mod you install. If you want to be careful, do your banking on another system.
"oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use."
Yeah, I was thinking about that line too... you know how we keep hearing about the tragic decline in PC sales? The reason is that the end of Moore's Law (such that it has been called) means that older kit stays usable much longer, and people are using it much longer. I certainly am, and I know several others running gear old enough to be on Intel's "wontfix" list. I think you might be surprised at how much old computer equipment is still in use-- and why not? For most computing tasks, older gear is still very usable today. We've reached a point that a great many people only replace PC gear when it stops working, not because it's too slow... they're like toasters or other commoditized items. If it works, keep using it until it doesn't.
It's purely anecdotal, but I pay attention to what gear people run when in discussion forums, whether it is pertinent to the thread at hand or just something listed in a signature file, and there is a LOT of old gear still being used today, including for web browsing (the most likely vector for most people to be affected by Spectre, via JavaScript).
It's purely anecdotal, but I pay attention to what gear people run when in discussion forums, whether it is pertinent to the thread at hand or just something listed in a signature file
Maybe El Reg could approach STEAM to see if they would allow access to their system spec sheet, as all of their players can load up their specs, and as a quick check, I can't think of anyone else of equivilent size who may have similar data sets
And almost all, if not all, of that kit will not be in use in such an environment where any of this matters.
None of it matters for any PC anywhere as long as the threat remains theoretical, but it remains to be seen if it will. My C2D Penryn laptop is assuredly in an environment where this could matter, browsing the web and what not...
Plenty of 2007-2011 cpu's still in use, my daughters system runs a Harpertown Xeon, and it doesnt lack anything against a current system for anything except modern, high end games and 4K video.
Equally, my parents still run a Core2 Duo E4xxx, although TBF, that is slower than a 3 legged tortoise.
In fact, only one PC in the family runs a cpu built after that date - and that is an AMD cpu anyway.
Sooo.... If this is a real thing, you might want to run. AMD brought in VP from Apple to drive the infrastructure needed for the K7 (Athlon). He had 0 appreciation for component validation. After 18 months, the director of validation (who had built the validation team at AMD) quit. So yeah, I don't think I would be in a hurry to buy Apple-designed cpus. (Bitter? Me?)
quite a few of those processors in use. I still have a Yorkfield core 2 quad (Q8200) in my HTPC so certainly not a "Closed System". With 4 GB ram, AMD HD7750 GPU and a Mint install it is still serviceable. Am I supposed to retire a perfectly adequate machine just because intel can't be bothered to fix a security flaw in their chips?
I have a Dell Optipex 760 desktop from around 2007 which after ditching the Vista install a bumping up the RAM to 4GB can happily run Linux Mint Mate and is used daily when working from home for office and internet tasks.
I have never been an Intel fan, perhaps because I grew up with Commodore computers (C64 then Amiga) and my first home built PC had an AMD K6. But this makes me even more determined not to give Intel any more money either direct or indirect by buying an system with an Intel CPU from a PC manufacturer.
This is typical Intel - "support? No, we don't care about anything that might cost us money. Besides, that part should have been replaced by now."
Also, anyone else noticed there's a lot of Xeons here? I'm wondering how many are in use in corporate servers. Or even government - replacement cycles in government tend to be longer than the private sector because if they're not the press start screaming about "taxpayer's money"...
"Also, anyone else noticed there's a lot of Xeons here? I'm wondering how many are in use in corporate servers. "
Went out shopping with my wife today. In Matalan I saw a 14" Dell CRT screen behind the checkout counter. No idea what it was plugged into though. It does make me wonder what state the rest of their IT kit is in.
Search for your CPU here https://ark.intel.com/search?q=
(it's not entirely accurate, despite being Intel, but is good enough).
Look up the product family in this document
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf
Patches are supplied as part of your operating system, so just apply the latest patches. For Unix based systems, upgrade to the latest patched release.