> It is a “near certainty” Beijing was aware of the conversations between Intel and its Chinese tech partners, because authorities there routinely monitor all such communications, Mr. Williams said.
Doesn't that mean that it is a “near certainty” that the U.S. Government was aware of it, because authorities (NSA, etc) routinely monitor all such communications?
The state of communications interception is a bit different in China. In the US it is opportunistic. In China it is mandatory and baked into the internet backbone, the cloud providers, and all communication providers.
I get your point. The NSA has anchor points very deep in the system.
The overt, pervasive mandatoriness of the Chinese system is another ballgame entirely.
If the Chinese gov't shows up and asks for basically anything, of course you give it. There is no questions, no lawyers. It is how things are done.
US tech companies do have lawyers and fight back at some stuff. Think about all those defamation cases where people try to sue Twitter to get the identities of people criticizing them.
How do you think that works in the Chinese social environment?
Well if there's lawyers getting involved, or the threat of such, that's what the five eyes (and the other "n eyes") are for. And then you can just call it a "minimization error during routine data sharing with foreign intelligence partners" that happened to sweep up tons of domestic US data.
Right, you end up with this sharing to get around legal issues.
Technical issues are a bit different though. Australian intelligence does not have rooms in any AT&T building I think. Though perhaps they perform some legal tricks to give them access and then roundtrip the info.
Yes through you may have left out the UK (with GCHQ) who do most of the spying for the NSA within the US, so as to ensure the NSA doesn't break any rules as they are permitted to take data from another nations department but have restrictions on local citizen data ;) they intern share data they gather on the in UK.
There's a big difference between "gathered the communications" and "is aware of their contents". When you gather everything you merely have the potential to be aware of things you maybe should be aware of. Finding which needles in the stack of needles are of interest is difficult.
It is entirely possible that without being told neither government could have become aware of this in spite of having the communications that could make them aware if only someone read them. It's also entirely possible that the Chinese government became aware from being told by folks at those Chinese companies who received disclosures, and that the U.S. government wasn't. Eventually we might find out what the actual situation was.
From a purely legal and policy standpoint, the linked report is concerning. One would think that Intel ought to be aware of the national security implications of Meltdown/Spectre and should have alerted someone in the U.S. government, though they're probably not obligated to. And, of course, what if Intel had not be an American company?
Seems a generally-accepted-leaning-to-be-true assumption regarding NSA (or any nation-state-backed security or spying agencies with advanced technologies in a similar level as US).
Yeah but you'd need like 1:10 ratio of persons employed to monitor the comms of persons of interest. So there can't be that many persons/orgs under regular surveillance or huge numbers of people would be employed for the monitoring.
The US government is not a PC maker. The goal of the disclosure was to help companies figure out how to patch systems. Why would anyone expect the government to be notified first?
The US Government has national defense responsibilities. Providing such exploit information to Chinese companies, many with strong ties to the PLA and other government organs, without notifying your own government first, seems irresponsible.
Any government has national defense responsabilities. With your logic, Intel is a multinational company and should have informed them all, which leads to its own kind of problems.
Edit: The only reasonable path seems to inform every government simultaneously, at the same time as the public. How could the EU possibly let Intel sell CPUs, and let Intel inform other governments of vulnerabilities first? So that the other governments have a time window to play with the vulnerability against the EU?
That gives China a strong case to distrust Intel and use their own chips. It is not like they are not already doing that, but I guess Intel might not really want to add momentum to this process.
There is a practical equivalence between governments. If one government could make the case that they should be informed, then any government who bought systems with "Intel Inside" could make the same argument. If you want to split governments into groups based on some notion of morality then you may want to question why a company would be allowed to do business with a country on the wrong side of that morality in the first place. That's actually a discussion I'd like to see.
Practically speaking, providing an exploit to the Russian government vs the US government - that would be a different effect, no? How would you justify providing the exploit to the North Koreans, or the Iranians?
There is a very practical morality at play here. The Chinese government runs protesters over with tanks, imprisons people without cause, attacks their neighbors without cause, etc. Would it be a good thing to aid such a government?
Putting all governments on the same moral plane is counterproductive and nonsensical. Not providing important information to your own government so that they can secure the very systems that protect you - that doesn't seem very practical.
It's not about moral its about sales, if Intel were to start to tell the US gov directly about security loopholes in products they were still selling to other nations those nations would blacklist intel for life.
Just as the US would blacklist intel if they told another nation directly first. (this is even true if they told allied nations) we have seen that just being allies does not stop the US spying (and I'm sure does not stop the opposite as well just turns out the others might be better at keeping things hush hush)
If it was beneficial from a commercial point of view to first disclose to partners outside of the US this makes sense. Intel doesn't exist to serve US national defense responsibilities; they exist to make money.
I firmly believe that, if the NSA, CIA, and possibly the FBI found out about this exploit, and found out there would be a window of several months to exploit it, then these agencies would be a danger to the safety and security of the American people.
Therefore the patriotic and responsible thing would be to help vendors patch their stuff before directly disclosing the bug to any party that would be likely to abuse the exploit.
The NSA doesn't play ball and responsibly disclose exploits to vendors immediately after discovering and profiling them, expressly because they want to use the exploits, so why should vendors be obligated to do the reverse?
Notifying the government early would only serve towards helping the government temporarily exploit this vulnerability for intelligence purposes. It wouldn't make sense to notify them until progress was made with mitigations.
Is this a joke? Why would you not expect such a major American company to notify their government, when the government is one of their biggest customers?
Intel notified vendors, (such as MS), so I'd assume the U.S. government would get these patches as well, I would also guess that any large customers of intel, (including the Gov), got some level of advanced notice, just probably not before any other large customers, which I do not see a problem with.
intel want to be able to operate all around the world and not be forbidden form non US markets if it is seen that they directly pass an exploit to the US gov so that US gov can use it to exploit into other nations systems then those other nations will ban Intel from sales. (even US allies would ban intel)
In the same way people are customers of Freescale or Infineon because they buy cars? I hesitate to use the car analogy because there are recalls, but you still take the vehicle to the company you bought it from, not the supplier of that faulty part.
Not only that, Intel produces most of its chips in the US. The one plant they have in China used older processes, had to be approved by the US government and should have been repurposed to make memory chips. If you sense a pattern...
In some systems the PC maker controls the update path and not the operating system. As such it was important to get PC makers on the Team, otherwise users would have been left undefended.
With the majority of sales outside the U.S. Are you arguing for Intel to employ some sort of "American exceptionalism" type policy when notifying customers of weaknesses? Apart from being a discriminatory position in itself, it is also not a very sound business decision.
Also, with all we know about the NSA, I'll be very surprised if the U.S. government didn't already knew and if they did, didn't try to take advantage of it.
Yes, it's headquartered in USA, all the executives are personally liable to USA laws (and not Chinese laws), and it actually is quite possible that they could be required to pursue American exceptionalism in regards to security issues, even if they weren't doing so yesterday.
I.e. an order (with due legal process) by USA government to not disclose that vulnerability to any Chinese companies would be possible and binding, but not the other way around. That's what being a USA company means, no matter where your sales are.
Any country where Intel sales CPUs could require by national law Intel, AMD etc to notify its government of vulnerabilities, no later than other governments.
If Intel explicitly does some kind of US exceptionalism explicitly, the EU, China and other governments will probably require to be aware of the vulnerabilities no later than other governments.
How could the EU possibly let Intel sell CPUs, and let Intel inform other governments of vulnerabilities first? So that the other governments have a time window to play with the vulnerability against the EU?
> An Intel spokesman declined to identify the companies it briefed before the scheduled Jan. 9 announcement. The company wasn’t able to tell everyone it had planned to, including the U.S. government, because the news was made public earlier than expected, he said.
That seems to imply that Intel had planned to tell the US government some time between Jan 3 and Jan 9. That seems rather late.
I think that the distros list was notified before that, and I'd be quite surprised if there aren't a couple of government agencies monitoring it.
This article doesn't seem to say when the Chinese vendors were notified.
It's interesting how many folks in this thread claim the US government is a "huge" intel customer.
I do not believe that to be true. Certainly, they buy computers with Intel chips in them, but in terms of chip purchases (IE who intel was probably notifying), they are probably nowhere in volume.
Intel has 8 customers accounting for 75% of revenue[1].
By numbers, America and Taiwan are tied for third in terms of volume per country. Singapore is #1, followed by China.
Even for just client computing, 3 customers account for 38% of their revenue.
The timetable is a bit strewn throughout the article, but from what I can make out:
June: Google reports the problem to Intel.
Soon after: Intel/Google (unclear) informs related businesses (Lenovo, Microsoft, Amazon, ARM Holdings, others?).
Jan 3: Vulnerability leaked ahead of planned Jan 9 reveal.
A 6 month window where apparently nobody informed the US Gov. I'm legitimately kinda surprised - if it were a small window, meh, but clearly they (and every other government) would have wanted an earlier warning since they'd likely be vulnerable. That's a gigantic window for the info to leak and an automated exploit to be built (just look how fast it happened when the news became public).
This series of flaws surprised me, I now really see why you want to run government computing on their own cloud. I naively trusted that vm separation would be enough and you couldn't leak things that way. I know there have already been flaws exposed where the memory wasn't scrubbed between sessions but I thought that was all fixed :-)
And the same idea applies to businesses that are suspicious of cloud computing security issues. Of course, these are probably obvious to everyone here and it's why these flaws are a big deal, cause a lot of cpus have been sold for cloud/vm installations, now what.
Yup. Especially since China is already manufacturing their own x86 through a joint venture with Via Technologies. [0]
After the Meltdown/Spectre fiasco with Intel I'd be willing to bet China is weighing the performance penalty of switching to Zhaoxin CPUs versus paying Intel for buggy (and potentially backdoored via IME) CPUs.
The Chinese have shown over the past decades that they're fully capable of innovating and building strong businesses in segments where they didn't previously compete (Huawei in telco, Lenovo in consumer PCs, Xiaomi in smartphones).
Given that AMD was able to come up with Zen on a shoestring budget, who can say China can't do the same? They can certainly afford to throw money at R&D.
They also routinely steal blueprints to US technology as well as the rest of the world. They make billions in IP theft annually. I'm not saying they can't innovate (being one of the first advanced civilizations), but they're currently so behind in many areas that corporate espionage + cheap knockoff is super profitable. Why spend billions in R&D?
Back in 1812, finished cotton textiles dominated British exports, accounting for about half of all trade revenues, the fruit of a half century of progress in mechanized mass production. Proportionate to GDP, the industry was about three times the size of the entire U.S. automobile sector today. High-speed textile manufacture was a highly advanced technology for its era, and Great Britain was as sensitive about sharing it as the United States is with advanced software and microprocessor breakthroughs. The British parliament legislated severe sanctions for transferring trade secrets, even prohibiting the emigration of skilled textile workers or machinists. But the Americans had no respect for British intellectual property protections. They had fought for independence to escape the mother country’s suffocating economic restrictions. In their eyes, British technology barriers were a pseudo-colonial ploy to force the United States to serve as a ready source of raw materials and as a captive market for low-end manufactures. While the first U.S. patent act, in 1790, specified that "any person or persons" could file a patent, it was changed in 1793 to make clear that only U.S. citizens could claim U.S. patent protection.
Unlike the 18th-century USA, China is party to numerous international treaties and conventions [0] which obligate it to honor certain IP protections. Their enforcement record to date has been spotty at best, with many [1] allegations [2] of state-assisted [3] or -condoned [4] IP [5] theft [6].
Also, between slavery and the Native American genocide(s), I'd say the 18th-century USA may not be a great moral reference point. For that matter, China's government at that time still practiced slavery, foot binding, judicial torture, and all kinds of fun stuff. Neither would be great models for a modern state.
Once upon a time, Japan was perceived the way we currently perceive China : a land where cheap, flimsy knockoffs were produced. The first camera made by Canon (which is, today, the most popular camera manufacturers in many segments of photography, such as journalism) was a 100% copy of Leica designs. There was literally no innovation whatsoever, just copy of german engineering.
But once the corporations acquired the base know how, developed better quality control and started to gain popularity in the low end, they reinvested their money into R&D, and they now are one of the best brands of the market, cornering both the low end and the high end. Almost every single western camera brand died except for Leica, which survived mostly on selling brand recognition to people who have more money than sense (this is particularly true for the people who buy the idiotic non-rangefinder Leica camera that are actually made by Panasonic which are virtually identical to other panasonic lumix models and sold at a premium because there's a Leica badge).
Most well known japanese brands started like Canon.
I believe we're already starting to see the transition from 'eh, knockoff' to companies that are reinvesting in R&D in China and this is going to eat at all the markets previously corned by silicon valley giants. Good smartphones are already a commodity. I have the Honor 8, which is made by Huawei, who build their own system-on-chips like Apple and Samsung. It's still running as fast as it was on day one and I probably won't feel the need to change for something else as long as it keeps working. The only thing they need to improve on is the camera quality and if they can manage to rival top end smartphones in terms of cameras in the future they will lay waste upon Samsung. Apple might survive because like Leica they have a heavy contingent of people with more money than sense that are loyal to status symbols/veblen goods.
Not sure why I'm being downvoted, it's a perfect example of a difficult problem (creating the metal ball) taking a long time to figure out when there isn't a shortcut. It's not a value judgement, other countries have had longer to figure this stuff out.
Google Project Zero researchers discovered this bug in May, 2017. They notified Intel, AMD, ARM and likely other chip-makers (Qualcomm, Broadcom, Marvel, Microtek, Huawei etc) directly. Intel is just the lead actor in this mega-production.
Then each of these chip makers would have notified their direct customers who make original equipment (motherboards, SoCs, Add-on card etc). Then they would have to notify their firmware/software partner/vendors who have to fix the issue.
Since this was such a serious issue and at least 2 quarterly results were posted by all these publicly traded companies, I'm sure their lawyers, their external independent risk consultants, key members of the board and key investors were also told - especially as CYA when deciding to keep it a secret while giving market guidance (which had to be knowingly false?).
Each of these disclosures would have gone with boilerplate embargo legalese (bad things will happen to you if you speak about it). But all of them would have taken actions ranging for good to bad to evil (from insider stock trading to actively looking for ways to exploit the bug for competition spying).
While all this is going on, why would government not have known about this? Wouldn't one of the government certification programs like NIST FEDRAMP mandatorily require them to be notified of any vulnerabilities monthly?
And of course, all govt spy agencies would have surely known about this vulnerability as early as July/August given the amount of cross-continent communication that would have happened on this topic. And it's a whole another matter if they used the exploit for any operational/tactical advantage for any ongoing operations or as a backdoor installation for future operations, it's anyone's guess. If they did do that, we cannot be surprised because that is definitely their job. Thinking any other way is not part of the security mindset. It's not the trust everyone kind of thinking that lead to discovery of this vulnerability in the first place.
I would be very surprised if the NSA did not already know about these vulnerabilities. It's unfortunate that we can't count on the NSA doing the responsible thing for national security (which would be to notify Intel). But if these bugs were found by several independent researchers this year, it's hard for me to believe that the NSA didn't already find them. If they didn't, they are falling down on the job.
but a lot of this brain drain has gone to private security companies that then sell vulnerabilities to national bodies. (Like the one in Israel that sold a load of 0day exploits for the iPhone to the CIA)
With China being a much larger consumer than the U.S.[0], it is a logical decision to warn those first who would have a larger loss than others. Ultimately, by preventing China from gaining vulnerabilities, we in turn will help the U.S. in a greater sense by hopefully achieving a >95% protection rate on chips.
"In 2012, China consumed 33% of the world’s integrated circuits (i.e. microchips) while the US consumed only 13.5%"
Surely no vulnerabilities should be disclosed to the US government earlier than the public because it does abuse them to hack people's computers, and it doesn't make its own systems that would need protecting any more than private companies do. It's like giving a hacker group advanced notification.
Imagine the roles being reversed. Would we care if a Chinese chip maker notified Google before the Chinese government? I'm sure nobody on HN would be complaining. That makes it look like naive American-centrism.
Of course we wouldn’t think negatively of being told first; that’s the whole point.
Assuming you were trying to make a juxtaposition though experiment — what you should be asking is “Would China’s people care if a Chinese chip maker notified the US government first of vulnerabilities in their hardware?”
So Intel knowingly ships faulty chips which smells of fraud and reveals a weakness in all of USA computers to another country which is known to employ cybercriminals ... how on earth do they get away scot free? No criminal charges?
They absolutely are. Just as soldiers invading another country are breaking the law in that country - they don't even apply for a visa! America imprisons foreign spies and so do other countries. Warfare, government hacking and spying are weird crimes that people everywhere support when their own country does it but not when an enemy does. They don't even care if they're right or wrong, just root for their home team.
> So Intel knowingly ships faulty chips which smells of fraud and reveals a weakness in all of USA computers to another country which is known to employ cybercriminals
It also reveals weakness in Chinese, Russian and even Venezuelan Intel-based PCs and while you may not agree that customers in these countries deserve to get notified on par with top tier U.S. customers, (questionable stance), Intel clearly does, since at this point, it is a multinational corporation with large customer base outside the U.S.
Doesn't that mean that it is a “near certainty” that the U.S. Government was aware of it, because authorities (NSA, etc) routinely monitor all such communications?