Because the fallout will cost billions over the next years. Intel as a company due to class-action lawsuits, recalls, rebates, and the shareholders because the drop in stock value after the announcement will cost them quite a chunk of money.
In addition, more long-term, I sincerely hope that the cloud vendors (and maybe even Apple!) recognize that their total dependence on Intel (and NVIDIA in deep learning...) is bad and they need to diversify their base.
Unclear that diversifying helps solve this sort of problem. More vendors could lead to the same number of bugs, but less investment in quality control per product e.g. if you make $1b and spend 1% on quality control, then you spend $10m checking your product for bugs. If the market fragments into 10 $100m vendors, then to get the same amount of money spent checking each chip for bugs, you'd have to spend 10x as much of your budget on quality control.
It gets even worse when you consider the incentives of private/academic/third party researchers to search for bugs, since there is a lot less prestige in catching a bug in a smaller/less well known product. e.g. I'm pretty sure no white-hat security researcher has checked for security problems in the cheap wifi light switches I bought on Amazon.
> If the market fragments into 10 $100m vendors, then to get the same amount of money spent checking each chip for bugs, you'd have to spend 10x as much of your budget on quality control.
But there's a much smaller attack surface and the incentives for attackers are significantly changed. Homogeneity is always more vulnerable to disaster, whether we're talking about food supply or chips.
And quality is not directly a function of money spent. Customers will start demanding to see the machine checked proofs that your hardware is correct. Intel has been cowboy coding CPUs for way too long.
> Unclear that diversifying helps solve this sort of problem.
At least having the option of another vendor as a fallback (e.g. in case there's a severe RCE vulnerability in ME/PSP) is a better alternative than having to shutter your entire business.
I would not be surprised if these management engines have a backdoor that can be invoked from a guest VM... and then an all-Intel (or all-AMD) shop has a massive problem.
This is the core question: is this isolation absolutely perfect, or can it be pierced in any way? Something on a severity level like Spectre/Meltdown - people would have laughed you off the stage half a year ago when you told 'em you could read kernel memory from Javascript without exploiting both the browser and the kernel - is IMHO certain to be present in either of the "management" solution, and I'd like to be prepared when the bomb explodes.
I don’t think any serious security person would have laughed you off for mentioning side channel attacks.
No isolation is perfect but and that is an important but for virtualization you have much higher control over what instruction you allow through so an attach which is specific to ME isn’t likely.
That said you can have a side channel attack that allows you to compromise the hypervisor and from it you can jump to the ME but this is a different story.
> e.g. I'm pretty sure no white-hat security researcher has checked for security problems in the cheap wifi light switches I bought on Amazon.
But isn't this also applicable to the other side? As in, black hats have less incentives to research vulnerabilities in less popular products (security through minority).
I'm not certain how this balances out.
Cheap products can be quite popular. It's probably fine until that cheap item you bought goes viral on facebook, or there is a single upstream vendor that is hugely successful. No idea either, only statistics would tell.
AMD chips do not need PTI. All the performance hits people are talking about right now would be irrelevant on a cloud farm that used AMD CPUs for their hosts. If any such cloud farms exist, they had better be declaring that loud and proud; I expect there will be a lot of people looking to jump ship.
The aerospace industry has realized this a long time, and for some things they will have 3 different devices from 3 different vendors doing the same job
The intel CEO took over in 2012 - some of these vulnerabilities go back as far as the Pentium Pro (Meltdown) and the other one, effects (I believe) as far back as the original Pentium (Spectre) - why would you fire someone for something that happened under a predecessors leadership (Andy Grove, in this case was CEO when the Meltdown attack was added) - it makes no sense - I see nothing here that doesnt jive up with similar efforts with other bugs.
According to Matt Levine, Krzanich has a consistent history of selling the maximum or near-maximum amount of his stock grants every year.[0]
If one wants to be truly cynical, you could say he has been expecting something like this all the time and cashing out to ensure his money isn't tied to Intel. I am inclined to being slightly less cynical - I'd say he has been just cashing out regardless of the the company's performance.
Yeah, exactly: it's too easy for people to draw a direct line between the selling and the announcement (which, of course, people have done) for him to have been stupid enough to do it with that intent. He seems to have simply been following the pattern of previous trades.
That being said, even though I don't think it's the case here, greed has been known to make people do some very stupid things.
You do know that INTC is up compared to 1 month ago? If it didn't drop that much on the initial announcement, why would it plummet in the coming months?
Because there is no quantifiable impact yet. Right now all that's known is "mh, it's bad, but the OS vendors are patching it"... now give the situation a couple weeks to brew, wait for more data on the CPU impact of these patches and the inevitable lawsuits. Plus, Intel might want to think about delaying the next CPU releases (or introduce a new stepping of existing CPUs) to fix the bugs in hardware... all stuff that ain't cheap.
If the market agreed with you that Intel will suffer greatly in the future due to Meltdown/Spectre the price would have dropped already. Of course you might be correct and the market wrong. You’re short Intel, right?
Because the fallout will cost billions over the next years. Intel as a company due to class-action lawsuits, recalls, rebates, and the shareholders because the drop in stock value after the announcement will cost them quite a chunk of money.
In addition, more long-term, I sincerely hope that the cloud vendors (and maybe even Apple!) recognize that their total dependence on Intel (and NVIDIA in deep learning...) is bad and they need to diversify their base.