There is a story doing the rounds that the US Government is pissed off at Intel because Intel kept quiet about Meltdown and Spectre, it seems that the disclosure only happened after the vulnerability became public which was some six months after Intel were first told about it. The US Government are unhappy because Intel knew about the vulnerability and knew that US Government equipment was running with those flaws.
In my opinion, the US Government has absolutely no right to criticise Intel here. Intel owe absolutely no obligation to anyone to tell them about the security problems until a suitable patch has been made available. The results of rushing out a patch have been painfully clear.
Secondly, if Intel had informed the US Government, would the US Government have done the decent thing and told other Governments around the world of the vulnerability so that they could do their own informed risk assessment?
Should Intel tell the Governments of the counties that they are based in of this security hole for the same reasons? Somehow I cannot see the US being that generous or helpful with something like this, I can see them leveraging the problem for their own benefits.
Finally, why stop at world Governments? Shouldn't banks and other financial institutions be told as well due to the nature of the work they do? At that point it's pretty much public anyway!
I think it is pretty clear that the US Government are only pissed because they were not told and, if they had been, I further suspect that the NSA would have been involved with finding a way to exploit it causing potential harm to others. After all, they do have a track record with things like Eternal Blue and Eternal Romance so it is not like the US Government (or certain branches thereof) can be trusted with private disclosure of security breaches.
In this case, I make Intel right on telling certain industry partners about the issues but not the US Government.
Subscribe to Ramblings of a Sysadmin
Get the latest posts delivered right to your inbox