back to article Intel fails to get Spectre, Meltdown chip flaw class-action super-suit tossed out

Intel will have to defend itself against claims that the semiconductor goliath knew its microprocessors were defective and failed to tell customers. On Wednesday, Judge Michael Simon, of the US District Court of Oregon, partially denied the tech giant's motion to dismiss a class-action lawsuit arising from the 2018 public …

  1. martinusher Silver badge

    Defective?

    This isn't like that Pentium multiply bug from decades ago. That was a proper bug. This is exploiting the properties of caches in an obscure, abstract, and higly creative way to get information about data that arguably shouldn't be in cached RAM in the first place.

    The people who file lawsuits like this may just be opportunists looking to feed off a carcass (or endless legal work) but ultimately it comes down to the overall ignorance of our society about the capabilities and limitations of computers, an ignorance characterized by a have it all expectations with a demand for compensation when they don't get it.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Defective?

      IMHO it's possible to argue that Meltdown was a defect because Intel trivially broke one or more of the data security guarantees it gave in its documentation (IIRC, it's been a while so ICBW).

      Spectre's a bit different IMHO because while it could be exploited to leak data, it was more like discerning info through instrumentation.

      Whereas, Meltdown was as simple as placing a load after a branch instruction and seeing if the load was speculatively executed even if the branch was taken. And it was found that the speculative load occurred before security checks were performed, allowing one to figure out the content of memory that would have been trapped if read directly.

      AIUI the chap who found Meltdown - a Googler straight out of uni - read the Intel soft dev manual, saw the part that said if a branch is taken, the CPU won't execute the instructions that follow immediately after the branch, and thought, 'yeah but I wonder if it does?'

      Meltdown to me looked trivial to exploit, just a straight up bug in the design of the pipeline. Spectre looked more nuanced: a side effect of other optimizations.

      As I said, ICBW.

      C.

      1. Aitor 1 Silver badge

        Re: Defective?

        Is it a bug or did they just do in on purpose so it is faster? I don't know, but looks like a nice way to speed up the processor.

        1. Bitsminer Bronze badge

          Re: Defective?

          ISTR comments that speculative execution was widely known amongst CPU designers as a security risk for several years prior.

          But it was not considered exploitable.

          Software people surprised the hardware folk yet again.

        2. Anonymous Coward
          Anonymous Coward

          You are right, it's Probably both, but thats not the point

          The part of the suit that is being heard is centered on cases during the period where Intel clearly had full knowledge that Meltdown was serious bordering on catastrophic, and that the mitigations were going to cause a huge performance hit.

          The didn't warn people buying (brand new) equipment with Intel processors of these defects at the time and for months after the fact. I remember digging around the ARC cpu database and thinking they were gonna get sued over this stuff. They held off until they got past the holidays and the launch of their new processor family, which having been in the design pipeline was also vulnerable.

          This impacted the buyers because to address many of these architectural flaws they were going to have to rip and replace the machines in question. If that was a small business, and they paid full list to Dell or HP for new server hardware that was supposed to last 3-5 years(and reality probably replaced something that was 10-15 years old) that is a huge hit.

          The problem being that this cut and dry case has been stalled in the courts so long such a small business owner would have to have bought the replacement out of pocket already, then been tens of thousands of dollars in the hole going into a multiyear pandemic.

          Slow justice isn't always just.

      2. dajames Silver badge

        Re: Defective?

        Spectre's a bit different IMHO because while it could be exploited to leak data, it was more like discerning info through instrumentation.

        That's true, but I'd still class it as a bug ... except maybe on a CPU that could be guaranteed never to be asked to run any software that had anything to do with security of any kind ... if such a thing exists.

        The people who make chips that are designed for security understand about things like side channel timing attacks and design the hardware so that every execution path runs in the same time, so timing attacks can learn nothing.

        This is not new in, for example, smartcard designs. Attacks of this type were carried out in the wild on smartcards designed 30+ years ago -- measuring the length of time taken to verify a PIN, for example. Some cards stopped processing the check after the first wrong digit, so you could tell how many leading digits of the PIN were correct by seeing how long the check took.

        This has led to an awareness of these problems in those designing chips for security, and newer chips are designed to defeat such attacks. Spectre is a result of designers of general-purpose CPU chips thinking that their products don't need that level of security, which is demonstrably false.

    2. Hawkeye Pierce

      Re: Defective?

      Intel are being sued NOT because there was a problem ("bug", "exploit", call it what you will).

      They are being sued because - allegedly - they knew there was a problem and failed to properly disclose it thus misleading various categories of people (consumers and shareholders principally).If that is true - and if they do not have a valid defence - then it's absolutely right for them to get sued. That's what the legal system is there for.

    3. Anonymous Coward
      Anonymous Coward

      Re: Defective?

      Is there not the ability to mark memory pages as sensitive, such that they'll never be cached? With the proviso that *every* *single* *access* takes a slow memory lookup? Then 99.999% of pages would be fast, cacheable, and 0.001% of pages that have an encryption key could get the flag?

    4. MrDamage Silver badge

      Re: Defective?

      Yeah, right.

      The same as how people who bought Volkswagon's for their "superb diesel economy", are now demanding for compensation. Not for being the victims of software tampering, but because they are ignorant of how cars really work.

      Or the people who were upset with Google's WiFi snooping while doing Google Maps are just upset because they're ignorant of how the internet works.

    5. msobkow Silver badge

      Re: Defective?

      More to the point, society is largely litiginous in the US, so you can get sued for sneezing on somebody if there is a pandemic going around. 'Tis just that way down south of Canada.

      "I drove my car off a cliff! Obviously the steering was defective and my drunkenness had nothing to do with it, so I'm suing the manufacturer. And the guard rails weren't strong enough, so I'm suing the people who approved them, the people who made them, and the people who installed them. I refuse to accept responsiblity for anything as long as there is an opportunity for a lawsuit."

  2. TReko

    CEO Share sales

    don't forget Intel's management team sold many of their share options just before the news was released, too.

    Just a co-incidence, I'm sure...

    1. DS999 Silver badge

      Re: CEO Share sales

      Insiders generally file paperwork with share sale plans ahead of time, so if they'd already filed months in advance it may not be as bad as it looks. Sometimes they file these plans even when they aren't required to just to avoid any implication of insider trading as the SEC considers that an affirmative defense.

      1. DevOpsTimothyC Bronze badge

        Re: CEO Share sales

        Insiders generally file paperwork with share sale plans ahead of time, so if they'd already filed months in advance it may not be as bad as it looks.

        The more suspicious among us might interpret that as they had a heads up about this months in advance.

        I'd like the case subpoena those communications to see just how far in advance there was any indication of this.

  3. Andy The Hat Silver badge

    I do find this a bit odd as nearly every *potential* security flaw that may or may not be exploited physically, in software or hardware would be subject to this type of vulture litigation.

    "We have been made aware of the possibly of an issue and we'll fix in in the spring update" would be immediately subject to a claim of negligence as the company knows there's a problem but isn't fixing it *immediately*.

    I can't see this going far unless it can be proven that Intel knew about the flaw being exploited and did nothing about it. As is standard industry practice, keeping quiet in public about a security concern allows time to fix the issue before it actually becomes a problem in the wild.

    1. a_yank_lurker Silver badge

      The allegation is not about the issue per se but Chipzilla sat on it until someone at Google blew the whistle. Also, during this time Chipzilla did nothing to fix the issue. In most cases of a bug being found, say in Bloatware, the affirmative defence is two-fold: start working on a patch as soon as you find out and when announcing the bug officially have the patch in the works if it is not ready. Also, Chipzilla was advertising performance that was negatively impacted by the patches. So there is a possibility of a false advertising suit in the background.

    2. Anonymous Coward
      Anonymous Coward

      Litterally why the judge tossed the other parts of the case

      And the part that is proceeding if focused on the period where Intel was still selling vulnerable hardware, was touting the performance of it's new processor line, and downplaying, denying or ignoring the Meltdown and Spectre issues.

      And the details in question were already in the wild by that point, so they can't hide behind disclosure. They got greedy, and they weren't thinking long term. They could have avoided liability if they had just followed standard practices, but they didn't. They realized that the flaws were baked into the hardware, and "fixing" the problem meant replacing the parts. They also new that the designs they had in the release pipeline were also vunlerable, and it would be months or years before the architectural problems could be fixed. None of that was clear to a buyer, either through a system builder or through Intel's direct marketing material.

      So this case isn't about opening the door to a flood of lawsuits at other companies, Intel management put the companies head on the chopping block to bolster their end of year numbers.

  4. Anonymous Coward
    Anonymous Coward

    A big chunk of these allegations DON'T apply to AMD........

    ......so it would seem that SOME competent engineers and designers were able to anticipate (and avoid) certain types of trouble.

    Perhaps this makes Intel more likely to fail in their efforts to avoid this litigation?

    P.S. When the FPU bug was found, my Pentium PC had the CPU in a ZIF socket. Intel sent me a new chip plus a reply-paid return package. Right now, every machine here at Linux Mansions has the CPU soldered into the motherboard....so a bit harder for Intel to arrange a CPU swap! Just saying!

    1. Sandtitz Silver badge

      Re: A big chunk of these allegations DON'T apply to AMD........

      "so a bit harder for Intel to arrange a CPU swap"

      P6 was the first Intel CPU family to support microcode patching. No need to replace the CPU.

  5. Alistair
    Windows

    Fixing the legal commentary

    "We look forward to advancing this litigation on behalf of consumers and businesses our law firm's bank accounts, since these consumers and businesses were left with slower and less secure computers due to the defects found in Intel's processors."

    FTFY.

    1. Wellyboot Silver badge
      Holmes

      Re: Fixing the legal commentary

      Yes....

      After we failed to stop the case which will now bring a vast wedge of cash in our direction regardless of outcome.

  6. Binraider Silver badge

    But, if the case is successful, who gets the payout? Every owner of one of the affected chips? And the supply chain in between?

    To be fair, when Sony canned official "install-other-OS" capability, an originally touted launch feature, at least one successful refund was done.

    Where does Caveat Emptor begin and end?

    1. Anonymous Coward
      Anonymous Coward

      Who gets the payout? Realistically, the lawyers.

    2. MrDamage Silver badge

      Small calims court would be the start. Claim whatever percentage of performance lost from your original purchase price, rated for inflation.

      How does one practice caveat emptor when companies explicitly hide the information you require to make the informed purchase? Consumer rights laws are supposed to assist, but they have been watered down in the US where the fine for doing illegal activity doesn't even cover 1% of the profits made by said illegal activity.

      1. Binraider Silver badge

        I’ve had a 6700k more or less since launch. It did what I wanted very well for some years - admittedly with a useful lifetime basically determined by a combination of malware, vulnerabilities being found and software support being dropped.

        From a Useful economic life perspective the hardware hasn’t done bad. And bunging BSD on there with hyperthreading off it’s probably still a more secure system than most. Admittedly minus one feature that isn’t that important.

        I fear from a small claims perspective the cost of making the case would be more than any potential gain. So where are consumer groups etc with their cases brought on behalf of everyone?

  7. jollyboyspecial

    English Much

    "Alleged enough facts"

    What utter twaddle.

    An allegation is an allegation and a fact it a fact. You can allege something, but that doesn't make it a fact it remains an allegation until it has be proved and demonstrated to be a fact.

    It is frankly scary that a judge has such a poor understanding of the English language.

    1. a_yank_lurker Silver badge

      Re: English Much

      Robed shysters on this side are not known for their competency or literacy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022