back to article Hands up who HASN'T sued Intel over Spectre, Meltdown chip flaws

Intel says it is facing 32 separate class-action lawsuits following the revelations it shipped millions of processors with security design flaws dubbed Meltdown and Spectre. The figure was slipped into its annual 10-K financial filing, submitted earlier this week to the US Securities and Exchange Commission (SEC). Speaking to …

  1. beast666

    When do I get my design flaw free Skylake X?

    1. Mark Eaton-Park

      When do I get my design flaw free Skylake X?

      Given that this is intel then never

    2. Anonymous Coward
      Anonymous Coward

      >When do I get my design flaw free Skylake X?

      Don't forget, new motherboard and new copy of windows if it's OEM, a tidy sum Intel owes you.

    3. Wensleydale Cheese

      "When do I get my design flaw free Skylake X?"

      The BOFH covered this one in yesterday's column:

      “EOL sounds so much better than RECALL doesn’t it?”

    4. Anonymous Coward
      Anonymous Coward

      You don't.

      Remember when you opened your retail CPU box, there was paperwork? You had to read it. By not returning your CPU, you accepted the EULA.

      However, far more likely, you didn't buy a retail CPU, you bought the much cheaper OEM CPU, in which case, yet again, you also don't get a new CPU, as you being the OEM, you take the hit for any problems,...

      1. Hans 1
        Unhappy

        Remember when you opened your retail CPU box, there was paperwork? You had to read it. By not returning your CPU, you accepted the EULA.

        However, far more likely, you didn't buy a retail CPU, you bought the much cheaper OEM CPU, in which case, yet again, you also don't get a new CPU, as you being the OEM, you take the hit for any problems,...

        They can write all they want in their EULA.

        Facts: CPU was said have performance x, it seems that now it has performance y because software had to be adjusted .... they sold a car that could do 300km/h, due to a software patch, it can now only do 250 ... they can write whatever they want in their EULA, if they were aware of the issue when you bought your CPU and YOU were not told, then they need to fix it for you ... I happen to be in that case and am looking into the options at my disposal (no class actions in France), I got an i5 8600k for Xmas ... had I known, I would have gone Ryzen. Well, was NOT for me, had it been me, Ryzen all the way, I disgress ... I know Ryzen's are also affected by some vulns, NOT the worst, and this is besides the point.

        1. KSM-AZ

          But they didn't claim any such thing

          I'd like to see the guarentee, or claim made by intel their chip would run any paticular software at any paticular defined rate. Statements like this are stupid. Further, all these issues could be addressed by software at the os level 100%, by creating an OS level security model around the behavior. So let's sue microsoft and the fsf and apple and,. . . Better yet, why don't you just turn all your shit off if it's really that bad to you. This is just flame bait.

          In the case of the multiply bug intel DID make claims. In this case the device performs as advertised. The fact that performance comes with some security issues is what it is. Re-write your kernel to handle it, or move on. In the mean time show me someone who has successfully used this outside of a lab to actually gain something useful.

        2. csecguy44

          Ryzen is also affected

      2. MrDamage Silver badge

        > "Remember when you opened your retail CPU box, there was paperwork? You had to read it. By not returning your CPU, you accepted the EULA."

        So Intel think they can get away with imposing extra terms and conditions on the consumer after the point of sale? That might be the case in the land of the "free" , but in civilised countries, those terms and conditions must, by law, be made apparent to the consumer PRIOR to the point of sale. Failure to do so renders the EULA null and void.

        So Intel owe me, and hordes of others, replacement CPUs, and all the associated parts to run it.

        1. Anonymous Coward
          Anonymous Coward

          Did you actually buy the CPU off Intel directly? Have you spoken to whoever it was that actually sold you the CPU? That’s who you need to talk to, not Intel.

      3. Doctor Syntax Silver badge

        "By not returning your CPU, you accepted the EULA."

        At best a EULA is a contract. Contract terms can't breach the law in the appropriate jurisdiction. For consumer products, at least in Europe (yes that includes the UK) and maybe other places there's strong consumer protection legislation. If some words purporting to be a term on a contract are contrary to that legislation (assuming we're talking about consumer sales) then they might as well not there as far as the contract is concerned because any court would strike that term out.

      4. John Brown (no body) Silver badge

        "Remember when you opened your retail CPU box, there was paperwork? You had to read it. By not returning your CPU, you accepted the EULA."

        Nope. Contractual terms you can't read until after opening the box are null and void. You enter into the contract at the point or purchase. All valid contractual terms must be available at that point. Unless, of course, Intel include in the EULA the refund of the "restocking fee" a retailer charges for returning an opened item and maybe an inconvenience fee for trying to impose contract conditions after the purchase, but of course, they don't. There's never anything in a EULA that might benefit the buyer, which probably makes it invalid anyway since that would be an unbalanced contract purely in favour of Intel.

        Just as an eg, I've seen EULAs in UK retail products from US companies which state that any legal challenge can only occur in $home-state, which is an outright illegal term in a UK sales contract, especially when said US company has a UK or EU office.

  2. Andrew Commons

    Software next?

    Maybe we could see software manufacturers being sued for vulnerable products at last? Although I imagine they have covered themselves as much as they can in the EULAs, but these are not sufficient in all jurisdictions.

    1. Mark 85

      Re: Software next?

      So, M$ would be in deep crap for their operating systems? This could be interesting when the dust all settles. I'm guessing more than a few companies will empty buildings.

    2. Wolfclaw

      Re: Software next?

      I believe US EULA's are not enforcible in the UK/EU, due to different legal wording or some rubbish like that, but haven't heard of any class action in the UK, yet ?

      1. Anonymous Coward
        Anonymous Coward

        Re: Software next?

        "but haven't heard of any class action in the UK, yet ?"

        Whilst "group litigation" is permitted in the UK, and is similar to the concept of US class actions, there's some important differences. Firstly, UK civil law custom & practice usually means the losing party have to pay the winner's legal fees. That makes taking on large corporations very risky, because the company will often engage large and very expensive legal advisory teams (and they know this, and act accordingly). Second, the UK limits the success fees that a law firm can charge, meaning that the group's law firm can't load massive fees into a winning contingency arrangement - although no win no fee is permissible, it'll usually only be offered for a sure fire winning case. And third, the actual settlements in UK civil cases are typically much lower than a US court might award.

        So overall, a very unfavourable climate for class actions for things of this nature. That does stop frivolous legal action, but equally it makes large companies essentially immune to legal action unless the claim is very high value.

        1. Anonymous Coward
          Anonymous Coward

          Re: Software next?

          Ledswinger is quite correct, the UK doesn't have the same personal litigation that the US has simply because we have government agencies who are supposed to prevent companies selling inferior or faulty equipment and thus prevent wasting of court time/money. These agencies are also supposed to address any company found to have sold inferior products but sadly when it comes to US big names our "protectors" have always been very quiet.

          I am guessing that the UK will have to wait until Europe address this before any reperations from US companies are forth coming.

          1. John Brown (no body) Silver badge

            Re: Software next?

            "I am guessing that the UK will have to wait until Europe address this before any reperations from US companies are forth coming."

            I'm guessing that will likely take more than 14 months too, so may not be of much use to UK customers.

        2. Doctor Syntax Silver badge

          Re: Software next?

          "That does stop frivolous legal action, but equally it makes large companies essentially immune to legal action unless the claim is very high value."

          If the claim is low enough to fit in the small claims route then large companies are vulnerable to individual claims as they can't claim back their fees if they lose. They then have to make a decision as to whether it's worth fighting a case at all. If the circumstances are that there could be a flood of claims then it probably would be, if not then it would be cheaper to write off the case and settle.

          In the current situation I think the claim would have to be against the retailer not Intel. This makes small retailers (if there are any left!) vulnerable. Against a big company? Best let someone else go through the expense of fighting Intel first so it's easier to point to established facts rather than risk being the first in line and crushed by a strong defence aiming to stop further claims.

      2. Doctor Syntax Silver badge

        Re: Software next?

        "I believe US EULA's are not enforcible in the UK/EU, due to different legal wording or some rubbish like that"

        I'm not sure whether you were referring to the wording being rubbish but if it's contrary to the law where the product was sold then that would indeed be an apt description because a court would just strike it out.

        "but haven't heard of any class action in the UK, yet ?"

        Class actions haven't normally been a part of UK law. There is, however, recent legislation to this effect: http://www.bbc.co.uk/news/uk-34402483

        It doesn't seem to me the best way to go about gaining redress if the amount to be claimed is within the limits of the small claims court (or small claims track of the county court in England & Wales). AFAICS class action in the US seems to be basically a money-making scheme for lawyers. What's left over, from some reports here, doesn't even go to the claimants. Small claims courts take out the financial risk of losing as there's no facility for BigCo's lawyers fees to be dumped on the litigant. That, in turn, makes it not worth while for BigCo to put a lot into defending the claim as it would cost them more than they'd save if they lost. In a case like this, however, it would be best to leave someone else to get a case on record establishing liability as otherwise a judge might decide it's too complicated for a small claim.

    3. a_yank_lurker

      Re: Software next?

      EULAs often contain language that is unenforceable in all jurisdictions. Also, they have not been litigated in most jurisdictions very much so their legal viability is a bit murky. This a vulnerability that could come back and bite Slurp and others if much of the EULA is found to be unenforceable or illegal.

  3. redpawn

    I'll be waiting

    for my four cent check.

    1. Steve Davies 3 Silver badge

      Re: I'll be waiting

      don't forget to declare that huge windfall on your tax return... (sic)

  4. onefang

    I'm gonna meltdown some butter over my popcorn, this'll be very entertaining.

    1. Steve Davies 3 Silver badge

      re: popcorn

      That popcorn will be a putrified mess before this gets settled.

      Just think about SCO vs IBM. 15 years and counting.

      1. onefang

        Re: re: popcorn

        "That popcorn will be a putrified mess before this gets settled."

        In the same way that Intel seems to be able to concoct new hardware bugs all the time, I can keep making fresh batches of popcorn. I'm more worried about running out of flavours of soft drink to wash it down with, if I choose a different flavour for each law suite.

  5. sanmigueelbeer

    As of February 15, 2018, 30 customer class action lawsuits and two securities class action lawsuits have been filed.

    And that is what I'd like to call a gang-bang-butt-slam. Thank you, ma'am.

  6. Doctor Syntax Silver badge

    Great PR wording

    "Purport"

    "Various classes"

    "Generally claim"

    Impression conveyed: this is a noisy bunch of little people, nothing to really worry about.

  7. DenTheMan

    Only 20 class actions less than the unmentionable.

    No invites for guessing who.

  8. mark l 2 Silver badge

    I guess it comes down to the fact that if for around 6 months Intel knowingly shipped defective products just to line their pockets, knowing that a patch to fix the flaw would cause the CPUs to become less effective.

  9. DCFusor

    Fork in the road far back

    I think the fun and sanity went out of much of CPU design awhile back, when transistor *speed* stopped going up, and while Moore's law was still going, trying to substitute LOTS more transistors instead of making them faster - since basically a wall was hit trying for that. Of course, that's what lead to these security issues too - but the die was cast.

    Trying to make switches faster and staying within TDP and heat density led to trying to lower voltages below what the technology would really support - this was done to avoid the power loss charging and discharging all those little incidental capacitors in the "wires". But at some point, if you dope transistors such that they can turn on at super low voltages, they don't really turn off that well either - so the old CMOS "draws no power if not toggling" is lost. So you hit a wall there too.

    Other than the usual marketing, and quantity (of cycles) has qualities all its own - why? Seems the real reason is storage and latency. Ram never kept up, and the dash to size left SRAM behind. Now we hae a memory bus with fantastic marketdroid numbers of GHz - but latencies of many many cycles to get that first byte - see your bios, I need not make things up. That GHz number is for one cycle, and nothing whatever happens in one cycle with DRAM - not even close. To attempt to overcome the effects of nasty latency, CPUs tend to try to at least get a burst of data for each access - a cache line, as it's often (but not always!) the case that if you need a byte, you probably are about to need the next few. Unless your code is doing about the only thing that makes computers interesting - that good old if() - anything that never conditionally branches might as well be done with gears...it is the glory of computers to do something different depending on the input.

    Tracing things back - all these are because CPUs were actually plenty fast - faster than ram by a good bit, and tried to make up for that by using even more CPU transistors so as to need to talk to ram less often, kind of, this is hard to condense for those not in the know and who haven't struggled with design on the level of this stuff.

    We've now reached the level (finally) where this even makes a bit of sense. While we go to enormous caches on CPU chips (Even those have horrible latencies past L1), the issue is now becoming the speed of light distance from the CPU to the memory, and that latency is not going to be solved unless we somehow magically get both CPU and the main RAM all on the same chip - and maybe not even then...seems 3D as works in flash might not fly here due to heat density issues.

    I do find it interesting that one design with which I was very closely associated - a Ti DSP (tms320c30) and designed some product around - was faster than a 200 mhz Intel PII cpu - while running at 40 mhz.

    All SRAM, very little cache - just enough to do a tight loop in. No wait states or multicycle accesses. But general purpose CPU design took a different turn, and here we are.

    I do miss the days when my tech product design company upgraded all our engineer's computers every 6-9 months and it was worth doing. Now...machine around here get old enough to get flakey and it's not economically obvious why they should be updated till they fail - there's nothing much happening performance or feature wise anymore.

    This of course amplifies the push to somehow throw more transistors at what is a conceptual problem happening at another level. Subtlety is going to beat brute force...again. That's my prediction and you can hold me to it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fork in the road far back

      @DCFusor

      The race for speed doesn't seem to have provided much functional improvement for some simple applications.

      *

      Example One: Write a letter using a word processor.

      Then: Wordstar on CP/M and a Z80 chip at 4MHz and 64K memory (1982)

      Now: MS Office on Win10 and an Intel chip at 3GHz and 8GB memory (2018)

      Conclusion: Apart from the GUI and fonts, ABSOLUTELY NO DIFFERENCE

      *

      Example Two: Manage a (somewhat relational) database on a PC

      Then: dBASE IV on MSDOS 3.3 and a 386 chip at 8MHZ and 640K memory (limit 1 billion records)(1989)

      Now: MS Access on Win10 and an Intel chip at 3GHz and 8GB memory (2018)

      Conclusion: Apart from the GUI and fonts and SQL, ABSOLUTELY NO DIFFERENCE

      *

      So what is all that "speed" actually providing to this user? What am I missing?

      Signed: Dinosaur

      1. DCFusor

        Re: Fork in the road far back

        I noticed the same thing - I've been playing in this game since before ICs, and was lucky to have parents score me a PDP-8 early on. My first Xerox 820 (forerunner to the Kaypro) was eye opening compared to that - and as you say, did most everything functional you could want, unless you wanted realtime audio/video, huge math simulations, or just really had to substitute pictures of characters for 1 byte ascii representations a Z80 could push around quickly. For the average person, that's not a huge difference, as most people don't produce audio and video, and there are other ways to consume them. The rest is just slickness.

        And size, but so far "big data" seems to be used mainly for some people to control other people and take their money. I don't see a huge advantage in that for the average person.

        But a company has to make money selling product, so they have to invent a need to ditch the old one and buy a new one, else they go out of business. Marketing is the root of many evils!

        So are mortgages...and empty stomachs, but that's another topic.

        I guess I'm trying to say that once certain choices were made in architecture, we collectively fell into some sort of sunk cost fallacy when we perhaps should have been looking at a new organization of compute and storage.

        Look where we are now - we're finally using more cores/threads, and I read here recently about some vendor touting putting compute and storage a lot closer together. If we'd started down that path...which I admit did seem hard at the time - a lot of things aren't trivially parallelizable - we might be at a place that scaled a lot better - and didn't have at least this set of problems. We never tried too hard to find new ways to parallelize many problems because we didn't have to - yet. Now...it's another story.

        I remember back in the late 70's a paper on "contextually addressable segment sequential memory" where lots of little compute/memory chunks could be tied together really opened up my eyes. In this, you had a "right sized" chunk of storage per CPU, such that the time for it to fully process that was "reasonable" - say a pass rate of 60hz or so - and then you could chain these together forever even over relatively slow links and scale to the skies (at least for some types of work). None of this side channel timing stuff would be an issue in such an architecture (which of a zillion things would you even time?)...The sheer size of a database this enables is staggering compared to the old way of doing things - I'm not going to advocate for going backwards in performance, I'm advocating looking at new ways that can pay off in the future with more - the current path, chozen awhile back, kicked the can down the road. We ran out of road.

        Time to build roads. Or airlines, or teleporters. Time to think about how we approach this, rather than just trying to brute force it into smaller nanometers, more transistors and so on. Speed of light isn't going to change anytime soon, I reckon.

        And yeah, I'm a dino too - that isn't necessarily a bad thing if one learns from experience.

      2. Doctor Syntax Silver badge

        Re: Fork in the road far back

        "dBASE IV on MSDOS 3.3 and a 386 chip at 8MHZ and 640K memory (limit 1 billion records)(1989)"

        Did anyone actually try it at a billion records?

        1. KSM-AZ

          Re: Fork in the road far back

          BBx/Mkeyed on SCO, with ~100M records. Wouldn't fit on a single drive of the day. I think we had a 3 raid arrays with 1G drives in it, this monster took 2. Further, you could forget backing it up easily. CPU is rarely the bottleneck since before 2000. Disk performance has increased dramatically with SSD, but CPU's still spend most of the time waiting for i/o. Meltdown was trivially addressed, and new os kernel models will improve performance closer to ignoring it. Spectre is kind of far out there from an exploit concept. Both will be addressed in the nextgen chips at some level. Let's be real about this, and stop sensationalizing the impacts. Your Netapp/EMC/IBM storage array is your bottleneck, and these issues are irrelevant to them.

          1. Carpet Deal 'em
            Boffin

            Re: Fork in the road far back

            "Meltdown was trivially addressed, and new os kernel models will improve performance closer to ignoring it."

            The Meltdown mitigation is trivial only in concept. There is a massive performance difference between mapping kernel memory into each and every process's address space(SOP until now) and isolating it to its own, separate address space. This is expensive at the hardware level and always has been; there's no way for an OS to compensate.

            As an analogy, let's replace syscalls with changing the volume on your TV. The modern standard for changing volume is with a remote; the Meltdown mitigation is roughly the equivalent of getting up each time you needed to change it. Needless to say, it takes a lot longer for the volume to be changed(syscalls to be completed) than before.

            And before you say "performance, uh, finds a way", microkernels have been suffering from just this problem since they were conceived; if there was a solution, decades of research would've found it by now.

      3. BinkyTheMagicPaperclip Silver badge

        Re: Fork in the road far back

        There's been a crapload of improvement in computing.

        The two main improvements are 1) It's easier and 2) networking.

        Yes, to write a letter I could just as effectively dig my Amstrad PCW from the loft, write a letter in Locoscript, and print it on a dot matrix. The same machine had databases, and a BASIC supporting Jetsam.

        Now try including multi page documents with diagrams and watch productivity decrease - yes, it could do it, and I did use DTP packages to create some well presented documents. It took much longer than modern solutions, and wasn't nearly as accessible.

        It's only relatively recently that networking has become viable for the average user, not to mention the availability of rich multi media world wide communication, orders of magnitude better(*) than the bulletin boards and online communities (i.e. CIX) of yore.

        (*) In terms of being able to carry on a focused discussion, generalised communication platforms such as Facebook and Twitter are inferior to both personalised blogging systems such as Dreamdwidth/Livejournal in the past, and CIX/Compuserve/The Well before them. There are now many separate focused communities on different platforms rather than a small number of communication platforms with many focused communities.

  10. razorfishsl

    Simple... return your CPU and get an upgraded one.....

    1. Mark Eaton-Park

      @razorsishl and "Simple... return your CPU and get an upgraded one....."

      Well firstly intel do not make a upgraded CPU that is any better and secondly Intel do not accept that they have done anything wrong or the need to compensate their customers. Thus even if Intel were willing to accept some part of the blame it would not be a case of just the CPU, it would be CPU, motherboard, RAM etc because different manufacturers have their own specifications.

      1. Doctor Syntax Silver badge

        "Intel do not accept that they have done anything wrong or the need to compensate their customers."

        That's why people are suing. When the case is over then they'll know whether they need to compensate their customers. They may not accept they've done anything wrong if a court tells them they have but that would be between themselves and their sense of their own importance and of no significance to anyone else.

        1. John Brown (no body) Silver badge

          They may not accept they've done anything wrong if a court tells them they have but that would be between themselves and their sense of their own importance and of no significance to anyone else. and will than appeal that decision and any others for as long and as high up as possible and drag it out for so many years that any compensation will barely be worth anything after inflation.

          FTFY

  11. darkl
    Facepalm

    All these meltdown/spectre lawsuits are amusing and stupid because no one is suing Intel over full blown backdoor OS aka Intel Management Engine and Minix 3 hidden inside Intel CPU's that you have no access to anyone with the key or hacker can remote access and full access to your PC and Servers.

    1. Anonymous Coward
      Anonymous Coward

      You could have just stopped after amusing and stupid

      With a possible to be confirmed exception that Intel may have deliberately withheld information that they should have disclosed the whole exercise seems typically American.

      Who expects to buy complex equipment with a guarantee that there are no inherent, unforeseen, or edge cases that may not work as expected or are flawed by design over the entire lifetime of the product. This is simply part of normal life. I don't think I could bring myself to procure any equipment or services on the basis of perfection over lifetime.

      It's also not like Intel can simply release a fix over the internet either. These vultures should be paid off with replacement chips rather than cash and work out how to replace them in a cost effective way. Can you see millions of CPU's being de-soldered or un-Ziffed etc as inside multiple layers of racks, cases, mother and daughter boards.

      I would rather they just got to concentrate their creativity on better chips to be honest.

  12. Anonymous Coward
    Anonymous Coward

    I haven't... what do I need to do? :-)

    Also - is it me or class action lawsuits are always US based. Does the UK even have class action lawsuits?

  13. MrAnonCoward43

    What are we to do?

    Genuine question, what are we to do about future chips and computers? Accept the software slow downs and then future price rises with 'meltdown proof' future releases? Accept that all these chips are still all on the market unchanged and being sold at normal prices to the largely unsuspecting public? Accept that probably none of the legal cases will result in success for anyone but Intel at a great cost to many. I was planning a new purchase but with all the Management Engine stuff and now Meltdown / Spectre and with Crypto mining ramping prices up, I have no idea when I will actually buy one.

    How much has Meltdown and Spectre diverted all attention from ME and PSP and their potential links and usage by NSA and friends?? Tin foil hat squarely on, is this perfect for them? Is this also a great time to use Meltdown + Spectre to create a new version of ME in another undetected guise without the currently released ways to semi-debilitate ME.

    Tin foil hat back off, what can we do anyway. And yep probably all a bit of ludicrous conspiracy-ising, it's a real shame there isn't more competition now it's been made so clear how a connected pc / mac can be remotely controlled with practically no way to stop it. I don't know enough about it all and from almost everything I've read on the matter not many other people do either.

  14. martinusher Silver badge

    Opportunism and Ignorance

    These flaws in the processor architecture are obvious only in retrospect because they need to be used with a particular software structure to have any relevance. Put another way, its not the processor that's at fault so much as the way that its used. This is a very subtle point which is easily hidden behind a smokescreen generated by the lure of large amounts of cash from lawsuits that can prevail because of FUD.

    There is nothing in the x86 architecture that says that such and such a place is where you should store sensitive information in plaintext. Likewise, all performance numbers are estimated, they're handy to get a relative feel of how particular processors will work, but there are no absolutes.

    I'd really like these suits to fail "with extreme prejudice".....and no, I'm not an Intel employee, shareholder or whatever, I just don't like dishonesty in the pursuit of avarice.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like