In message <CY1PR01MB12478E5333AB735198BA81EF8FFB0 at
CY1PR01MB1247.prod.exchangel
abs.com>, "Zahrir, Abderrahmane" <Abderrahmane.Zahrir at
ca.com> wrote:
>Hi Guys,
>
>I understand that you have not been notified early enough about the Meltdown
>and spectre security {flaws}...
Apparently, it wasn't just the FreeBSD security crew that was
inappropriately
kept in the dark about this gaggle of hardware security disasters. According
to some recently published news reorts, even various Chinese hardware vendors
were informed of the flaws PRIOR TO the U.S. Government being informed.
(Source: The Wall Street Journal.)
In short, this truly epic set of hardware security screw ups were followed
by what now appears to have been an equally epic set of -disclosure- screw
ups.
The hardware bugs were bad enough, but the clear (and apparently self-serving)
idiocy that drove the selective disclosure process in this case was, it now
appears, equally stinky, if not moreso.
Some days, I can't help thinking that I'm playing for the Wrong Team.
Maybe its time to learn Chinese.
It all sort of reminds me of one very famous quote about the sheer idiocy
often displayed by short-sighted corporate bean counters:
"The Capitalists will sell us the rope with which we will hang
them."
-- Vladimir Ilyich Lenin
Intel decided to make Meltdown/Spectre disclosures to their Chinese
business partners (e.g. Lenovo, Alibaba) before making those same
disclosures even to the government of the country where they are
headquartered, and from which they have derived most of their profits
since the company's inception, i.e. the good old U.S. of A.
Read and weap:
https://www.wsj.com/articles/intel-warned-chinese-companies-of-chip-flaws-before-u-s-government-1517157430
https://www.theregister.co.uk/2018/01/29/intel_disclosure_controversy/
https://www.engadget.com/2018/01/28/intel-told-chinese-firms-of-meltdown-flaws-before-us/
Thousands and thousands of honorable, well-intentioned and sincere men
and women, most with only the purest of motives, have argued and debated,
back and forth, for liteally decades now about the true meaning of, and
true nature of "responsible disclosure", a topic which continues to be
ernestly and reasonably debated between professionals. And yet here we
have an instance of a single, dominant, for-profit corporation effectively
making a mockery of all those debates by simply doing what it thought
was in its own best interests and leaving everyone else to twist in the
wind.
I, for one, intend to remember this the next time some geeky hacker-type
dude gets publically criticised for going public with some security flaw
before the affected vendor(s) had a patch ready for release.
The next time I see somebody (anybody) being blasted for having failed to
observe "responsible disclosure protocols", I, at least, will jump to
that person's defense simply by saying "Yea... So?"
Intel has just killed the entire notion of "responsible disclosure".
It simply doesn't exist anymore.
Publish and be saved!
-- Bartholomew "Barley" Scott Blair
-- The Russia House
Regards,
rfg
P.S. Now that I think about it, I guess that Intel's actions in this
case... which they will most assuredly get away with, *without* any
civil or criminal penalty (because hey! They're Intel!)... has also
created a sort of carte blanche for any U.S. hacker dude who might want
to sell his zero days to the Chinese, or, you know, the Russians.
Because isn't that effectively what Intel itself did in this case?