Reality Meets Hype, Film At 11
The Market Ticker - Commentary on The Capital Markets
Login or register to improve your experience
Main Navigation
Sarah's Resources You Should See
Full-Text Search & Archives
Leverage, the book
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions. For investment, legal or other professional advice specific to your situation contact a licensed professional in your jurisdiction.


Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility; author(s) may have positions in securities or firms mentioned and have no duty to disclose same.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must be complete (NOT a "pitch"), include full and correct contact information and be related to an economic or political matter of the day. Pitch emails missing the above will be silently deleted. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2023-11-15 07:00 by Karl Denninger
in Technology , 300 references Ignore this thread
Reality Meets Hype, Film At 11
[Comments enabled]

This one got my attention; compliments of Janet sending me the article....

A 112-page class action complaint was filed this week by plaintiffs represented by Bathaee Dunne. News of a Bathaee Dunne-led lawsuit against Intel over the Downfall vulnerability emerged in late August, when the law firm announced that it was preparing to file a complaint.

The plaintiffs say the Intel CPUs they have purchased are “defective” because they are either left vulnerable to cyberattacks or they have significantly slower performance due to the vulnerability fixes made available by the chip giant.

The complaint says Intel has known about speculative execution vulnerabilities in its processors since 2018, when cybersecurity researchers disclosed the existence of two attack methods named Meltdown and Spectre. 

The speculative execution problem has in fact been known as a "risk" since 2018 but the technique pre-dates that, and not by a little.

The basic problem is that one can accurately "guess" what is in some other allegedly "protected" part of the CPU's execution space by causing it to take what amounts to a complex form of a cache miss.  Modern CPUs get a decent amount of their performance by "pipelining" things that they believe will be next and if you can force that belief to be false you can, in some cases, figure out what is in the unit's cache which you're not supposed to have access to.

The bad part of this is that things used for high-intensity computational determinations -- that is, which are used a lot when moving data around -- tend to include important stuff like encryption keys.

If you manage to get that you can break into someone else's data stream or worse, potentially break into data at-rest which you get ahold of but is in encrypted form.

The suit rests on the premise that Intel promised and published performance information, and thus induced people to buy their products, knowing that this risk, if mitigated, would make those performance claims false and if not mitigated the CPU in fact is not secure when used by a mixture of tasks, some of which are untrusted.

Of course fair and full disclosure would not be a liability-generating event.  But there was, the suit alleges, no fair and full disclosure and in fact the claim is that Intel knew damn well that these sorts of "side attacks" are possible due to design decisions which they had to make in order to hit performance metrics that form the basis for all of the marketing which references, of course, the speed of performing calculations.

Were I on a jury I'd be inclined to find for the plaintiffs based on my knowledge of how all modern CPUs work and given the performance claims made, coming at this as someone who has bought said CPUs and then had the fact that they required these performance-destroying updates to be used in order to be secure in a mixed-trust environment.  My mind could be changed, however, depending on what is developed at trial.  It will be interesting to watch the progress of this suit in that in order to win the plaintiffs have to convince either a Judge or Jury of those facts, and I suspect most people lack the intellectual chops to analyze the issue in any sort of reasonable fashion.

We'll see.

The unappreciated part of this, however, is that there's a way to avoid needing these microcode updates, and modern operating systems load them as part of the boot which means they can be turned off.  That is, you don't need to take the performance penalty (and its extremely severe) if you have control over everything that runs on that machine.

This of course means you own the computer and what is on it.

If you don't, however, then the provider of said resource is basically compelled to enable these patches because if they don't, knowing the risk exists and you get screwed the provider is now potentially liable and that liability could, in many cases, be literal enterprise-ending in terms of damages particularly if you get hit with punitive damages and given actual knowledge of the risk that would be reasonable too.

In other words the promise of "cheaper" by putting it on the "cloud" just got smoked, not by a little, and it can't be fixed except by not using cloud infrastructure for anything that has a security context associated with it -- which is damn near everything except public-facing information you intend for anyone and everyone to see (like this article, for instance.)