Intel Hit with 32 Lawsuits over Security Flaws

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Due to Spectre and Meltdown, Intel is facing numerous lawsuits from both shareholders and consumers. Thirty of these are from users who say they have been harmed by the company’s “actions and/or omissions.” The other two are securities class actions that allege Intel made false and misleading statements concerning its products.

The company’s filing also listed three individual Intel shareholders who had filed actions against members of Intel’s board and other managers, alleging that they failed their duties to Intel by failing to take action in relation to alleged insider trading. It did not specify what allegations of wrongdoing the suit dealt with.
 
I was wondering if/when a Class action would be filed. I think anyone with a CPU under warranty when the bug was discovered should get a fixed CPU. Out of warranty, I'm not sure (I'll leave that to the legal peeps on [H]), but given that fixes seem to slow down systems, I think a new CPU is in order...but honestly, by the time this gets through the courts, we'll all probably have new Computers. And god knows they'll fight hard, because that's a lot of CPUs to replace.
 
Get your popcorn ready. I just hope whatever they come out with next is deeply discounted or faster , as a direct result of the lawsuits.
 
Imagine all the cloud providers who are going to get HOSED on performance now, will they have to give people free vCPU's to their VMs to compensate for the lack of performance many are taking? My Azure VM's have already noticed slowness, even just for being DCs!
 
So when are we all getting our money?

giphy.gif
 
IANAL, but it seems to me that customers might have a case based solely on the implied warranty of fitness for a particular purpose.

But yeah...nothing meaningful will come of this. After all, corporations which outright (and knowingly!) poison people are rarely held to account.
 
Toyota replaced thousands of frames on 1st and 2nd generation Tacoma's due to excessive rust, at approximately $15000 a truck. No reason that Intel couldn't do something similar such as offering $500 towards a new system. Its a drop in the bucket compared to what Toyota paid out per truck.
 
kilroy67 said:
Toyota replaced thousands of frames on 1st and 2nd generation Tacoma's due to excessive rust, at approximately $15000 a truck. No reason that Intel couldn't do something similar such as offering $500 towards a new system. Its a drop in the bucket compared to what Toyota paid out per truck.
Click to expand...

I see your point, but the frame rust could have been a potential life or death scenario for motorists unaware of it. A CPU on the other hand is a luxury item. I don't think Intel will do anything. A coupon at best......maybe.
 
Nunu said:
Get your popcorn ready. I just hope whatever they come out with next is deeply discounted or faster , as a direct result of the lawsuits.
Click to expand...
I was just thinking of popcorn for this.
 
I just hope whatever they come out with next is deeply discounted or faster , as a direct result of the lawsuits
Click to expand...

I doubt it will be either of the two. Intel does not want to put AMD out of business.

Edit: I am talking about mainstream processor pricing here.

If I were talking about xeons or X299s, Intel can reduce prices on these (30% or so) without causing AMD serious pain.
 
Last edited:
Surprised amd isn't taking advantage of this
Click to expand...

They really can't. AMD is vulnerable to Spectre and will be until Zen 2 arrives in 2019. Zen+ does not fix the issue.
 
nilepez said:
I was wondering if/when a Class action would be filed. I think anyone with a CPU under warranty when the bug was discovered should get a fixed CPU. Out of warranty, I'm not sure (I'll leave that to the legal peeps on [H]), but given that fixes seem to slow down systems, I think a new CPU is in order...but honestly, by the time this gets through the courts, we'll all probably have new Computers. And god knows they'll fight hard, because that's a lot of CPUs to replace.
Click to expand...

I expect consumers will get a $5 or $10 check sometime in 2025 or possibly later while the lawyers involved will get millions.
 
Krenum said:
I see your point, but the frame rust could have been a potential life or death scenario for motorists unaware of it. A CPU on the other hand is a luxury item. I don't think Intel will do anything. A coupon at best......maybe.
Click to expand...
I think a Computer is a necessity. And given that MOST CPUs are used by businesses, where they're definitely not a luxury, I think his argument hold up, but I don't know if the courts/feds will see it that way.
 
drescherjm said:
I expect consumers will get a $5 or $10 check sometime in 2025 or possibly later while the lawyers involved will get millions.
Click to expand...
7 or 8 years? That's a lot of legal expenses and a certain amount of risk is involved, since they could lose or get a crappy settlement. I'd like to see CPUs sent to everyone that was screwed (or at least those that were screwed that bought a CPU summer of 2014 or later, but I think that'd require the feds to jump in. I don't really mind a S/W fix if it doesn't hurt the CPU performance, but 10% seems a bit extreme.
 
Galvin said:
Surprised amd isn't taking advantage of this
Click to expand...

They are smart enough to know they aren't immune. The thing about this class of attack is it is very new, and researchers are only just starting to figure out all the way it can be exploited. Any sort of bragging or promises of "Oh we are secure don't worry!" could get you in shit. A security issue is ALWAYS a possibility, including in hardware. As I've said many times before, security is a process not an endpoint. You don't get the "right" hardware or software and suddenly you are secure and stay that way. It is about defense in depth, about reacting to new threats, about monitoring for compromise and about accepting that you ARE vulnerable, always, you just don't know how.

That is also why these lawsuits are likely to be a dud. This isn't an Intel issue. It isn't as though someone told them 10-15 years ago "Hey, speculative execution is a bad idea, it can be hacked," and they said "Fuck you, we do what we want!" Nope, everyone did it, and lots of people are vulnerable. AMD is vulnerable to some specter variants, some ARM chips are vulnerable (not all ARM chips do speculative execution, depends on their intended use), IBM POWER and Z Architecture are vulnerable, etc. This is something we just flat out didn't know about. So trying to claim Intel was somehow negligent is rather a non-starter.
 
^^^ This. In any event, it's like blaming M$ (as an example) for data loss due to a virus. It's the fucking douchebag who wrote the virus who is responsible .
 
drescherjm said:
They really can't. AMD is vulnerable to Spectre and will be until Zen 2 arrives in 2019. Zen+ does not fix the issue.
Click to expand...
Spectre1 is comparable between Intel & AMD but Spectre2 is order of magnitude more difficult to exploit on AMD (doable but no where near as easy...)

Spectre1 can be mitigated by OS and uCODE (assuming your vendor pushes out the update)-
Spectre2 still hasn't been mitigated..
Meltdown has been mitigated by OS (assuming your vendor pushes out the update)


So based upon the fact that every single x86 machine is vulnerable to Spectre2, would you invest time in providing a viable usage for Intel-chips or AMD-chips? when you consider
1) Intel has alot more chips in the field
2) it is easier to exploit on Intel chips.


I know what I would do
 
No end user like us is getting anything. You are going to have to prove this has been a major issue for you personally for any type of judgement to go your way. My basic understanding of this issue means that would only be a corporate or commercial type user, and even then they are going to have to prove the same. Intel will spend a bunch of money in the legal department to make sure this has no future negative consequences for them.
 
naib said:
So based upon the fact that every single x86 machine is vulnerable to Spectre2, would you invest time in providing a viable usage for Intel-chips or AMD-chips? when you consider
1) Intel has alot more chips in the field
2) it is easier to exploit on Intel chips.


I know what I would do
Click to expand...

Ya well, still not something AMD wants to mouth off about. Just because it is hard to exploit NOW doesn't mean it will always be hard, or that it won't get exploited. Likewise this is a new class of attack. This is the beginning, not the end, of this particular kind of covert channel. More will be discovered as time goes on. You don't want to open your mouth and set yourself up for trouble down the road. Not only marketing trouble but potential legal trouble. As I said, Intel is probably going to win these lawsuits (or settle them for very little money just to make them go away) because this is something that lots of people are vulnerable to and Intel never made any claims around it. Same deal with AMD, supposing they got sued. However if AMD starts making claims that "We are immune to Specter/Meltdown buy our products instead," and then it turns out they aren't, that is something they can get sued successfully for. They made a promise that was false/they couldn't keep.

Along the "it is just beginning" lines, there's a new research paper by Princeton University and nVidia that talks about new variants of specter and meltdown they've discovered.

Ultimately, these may just be covert channels we have to live with, and deal with by software mitigation and monitoring. I mean just because there's a potential for a covert channel doesn't mean we toss a technology. An example is ICMP: It is required for proper functioning of the Internet, it also can be used as a covert data channel. The answer isn't to just get rid of ICMP, because it's by far not the only covert channel over IP, rather it is to control and monitor for it being used as such.

Likely the same deal here. Hardware will be hardened to make these harder, but it probably can't completely shut it down without getting rid of out of order execution, which is quite useful in modern processors. So instead the answer is better software engineering. Make it harder to exploit in software, make IPSes able to watch for suspected attacks and shut them down, etc. As a simple example that's already happened is browsers now screw with Javascript execution time. They jitter around the timing of instructions randomly so it is difficult to get any of the information you'd need for a Specter attack (it relies on looking at execution time to tell cache hits vs misses). In the future they are looking at much greater isolation, where everything runs in its own process, even having separate renderers for each one so that one tab cannot do an attack against others.

It'll be an ongoing process, security always is. However it isn't something you want to shoot off your mouth about, particularly early on, as it could end up making you eat your words later. As such, I would expect AMD to do just what they've done: Only talk able the facts related to their processors and not make any particular claims of security/immunity.
 
im not shooting my mouth off. Speculative branching is a computer science oversight with fencing and retpolines being done at OS level to mitigate it hitting performance.
AMD not sticking their head up (as it effects them as well as IBM & ARM) was smart... stick to the facts, stick with resolving it the best they can.

Intel are being hounded because Meltdown is their own fuckup & equally they pulled the PR card... it might have worked with f00f and VDIV but pulling PR over resolving & equally mudspreading just isn't good form.
 
honestly intel should be made to replace consumer chips sold after they knew about the bug
 
  • Like
Reactions: Link
like this
Krenum said:
I see your point, but the frame rust could have been a potential life or death scenario for motorists unaware of it. A CPU on the other hand is a luxury item. I don't think Intel will do anything. A coupon at best......maybe.
Click to expand...


"luxury item"

Tell a cloud company they only bought luxury items or many other strange companies using these luxury items to make a living off. You're funny.
 
Sycraft said:
They are smart enough to know they aren't immune. The thing about this class of attack is it is very new, and researchers are only just starting to figure out all the way it can be exploited. Any sort of bragging or promises of "Oh we are secure don't worry!" could get you in shit. A security issue is ALWAYS a possibility, including in hardware. As I've said many times before, security is a process not an endpoint. You don't get the "right" hardware or software and suddenly you are secure and stay that way. It is about defense in depth, about reacting to new threats, about monitoring for compromise and about accepting that you ARE vulnerable, always, you just don't know how.

That is also why these lawsuits are likely to be a dud. This isn't an Intel issue. It isn't as though someone told them 10-15 years ago "Hey, speculative execution is a bad idea, it can be hacked," and they said "Fuck you, we do what we want!" Nope, everyone did it, and lots of people are vulnerable. AMD is vulnerable to some specter variants, some ARM chips are vulnerable (not all ARM chips do speculative execution, depends on their intended use), IBM POWER and Z Architecture are vulnerable, etc. This is something we just flat out didn't know about. So trying to claim Intel was somehow negligent is rather a non-starter.
Click to expand...


Not an Intel issue? Your funny as well...
 
naib said:
Spectre1 is comparable between Intel & AMD but Spectre2 is order of magnitude more difficult to exploit on AMD (doable but no where near as easy...)

Spectre1 can be mitigated by OS and uCODE (assuming your vendor pushes out the update)-
Spectre2 still hasn't been mitigated..
Meltdown has been mitigated by OS (assuming your vendor pushes out the update)


So based upon the fact that every single x86 machine is vulnerable to Spectre2, would you invest time in providing a viable usage for Intel-chips or AMD-chips? when you consider
1) Intel has alot more chips in the field
2) it is easier to exploit on Intel chips.


I know what I would do
Click to expand...
People tend to forget that even though AMD did say that theoretically AMD is vulnerable to var 2, nobody has been able to prove it thus far. Also, since AMD's market share is so small, you can expect that malware will not be targetting them and go through so much trouble. There will be plenty of Intel systems open for attack for years to come.
 
Not an Intel issue? Your funny as well...
Click to expand...

It is an Intel issue. But also an AMD, IBM and ARM issue. Meltdown is an Intel only issue but that is the easy one to solve (yes with a performance impact under some loads). Spectre is the one that is just mitigated. Spectre is also more difficult to exploit however sys admins will have to patch regardless if you have an AMD or Intel system.
 
Last edited:
Yaka said:
honestly intel should be made to replace consumer chips sold after they knew about the bug
Click to expand...
I really think it should include every CPU that's under warranty, but yeah, they've known their product is defective since last summer.
 
they've known their product is defective since last summer
Click to expand...

Hasn't AMD, ARM and IBM also have known as well? I also expect none of these will be issuing free replacements whenever they fix the problem. Also AMD will release Zen+ in April with the Spectre vulnerability still existing.
 
nilepez said:
I really think it should include every CPU that's under warranty, but yeah, they've known their product is defective since last summer.
Click to expand...
They knew of the bugs way before that. Google only confirmed them.
 
I wonder if intel has figured out a way to re-engineer their CPU's and fix the issue. And if they can make it socket compatible with what is in the field.

And if they design a better CPU, will that expose them to more lawsuits because it shows what they could have done?

What a mess.
 
You must log in or register to reply here.
Back
Top