This one got my attention; compliments of Janet sending me the article....
A 112-page class action complaint was filed this week by plaintiffs represented by Bathaee Dunne. News of a Bathaee Dunne-led lawsuit against Intel over the Downfall vulnerability emerged in late August, when the law firm announced that it was preparing to file a complaint.
The plaintiffs say the Intel CPUs they have purchased are “defective” because they are either left vulnerable to cyberattacks or they have significantly slower performance due to the vulnerability fixes made available by the chip giant.
The complaint says Intel has known about speculative execution vulnerabilities in its processors since 2018, when cybersecurity researchers disclosed the existence of two attack methods named Meltdown and Spectre.
The speculative execution problem has in fact been known as a "risk" since 2018 but the technique pre-dates that, and not by a little.
The basic problem is that one can accurately "guess" what is in some other allegedly "protected" part of the CPU's execution space by causing it to take what amounts to a complex form of a cache miss. Modern CPUs get a decent amount of their performance by "pipelining" things that they believe will be next and if you can force that belief to be false you can, in some cases, figure out what is in the unit's cache which you're not supposed to have access to.
The bad part of this is that things used for high-intensity computational determinations -- that is, which are used a lot when moving data around -- tend to include important stuff like encryption keys.
If you manage to get that you can break into someone else's data stream or worse, potentially break into data at-rest which you get ahold of but is in encrypted form.
The suit rests on the premise that Intel promised and published performance information, and thus induced people to buy their products, knowing that this risk, if mitigated, would make those performance claims false and if not mitigated the CPU in fact is not secure when used by a mixture of tasks, some of which are untrusted.
Of course fair and full disclosure would not be a liability-generating event. But there was, the suit alleges, no fair and full disclosure and in fact the claim is that Intel knew damn well that these sorts of "side attacks" are possible due to design decisions which they had to make in order to hit performance metrics that form the basis for all of the marketing which references, of course, the speed of performing calculations.
Were I on a jury I'd be inclined to find for the plaintiffs based on my knowledge of how all modern CPUs work and given the performance claims made, coming at this as someone who has bought said CPUs and then had the fact that they required these performance-destroying updates to be used in order to be secure in a mixed-trust environment. My mind could be changed, however, depending on what is developed at trial. It will be interesting to watch the progress of this suit in that in order to win the plaintiffs have to convince either a Judge or Jury of those facts, and I suspect most people lack the intellectual chops to analyze the issue in any sort of reasonable fashion.
The unappreciated part of this, however, is that there's a way to avoid needing these microcode updates, and modern operating systems load them as part of the boot which means they can be turned off. That is, you don't need to take the performance penalty (and its extremely severe) if you have control over everything that runs on that machine.
This of course means you own the computer and what is on it.
If you don't, however, then the provider of said resource is basically compelled to enable these patches because if they don't, knowing the risk exists and you get screwed the provider is now potentially liable and that liability could, in many cases, be literal enterprise-ending in terms of damages particularly if you get hit with punitive damages and given actual knowledge of the risk that would be reasonable too.
In other words the promise of "cheaper" by putting it on the "cloud" just got smoked, not by a little, and it can't be fixed except by not using cloud infrastructure for anything that has a security context associated with it -- which is damn near everything except public-facing information you intend for anyone and everyone to see (like this article, for instance.)