Spectre & Meltdown

[Paul Koning]

> On Jan 13, 2018, at 1:08 PM, Murray McCullough via cctalk <cctalk at classiccmp.org> wrote:
> 
> I wrote about Spectre and Meltdown recently: INTEL took its time to inform
> the world! 

Of course, and for good reason.  The current practice has been carefully crafted by the consensus of security vulnerability workers.  That is: when a vulnerability is discovered, the responsible party is notified confidentially and given a reasonable amount of time to produce a fix before the issue is announced publicly.  There's a big incentive for that response to happen and typically it does.  If the issue is ignored, the announcement happens anyway along with public shaming of the part who didn't bother to respond.

With this approach, a fix can often be released concurrently with the disclosure of the issue, which dramatically reduces the oppportunity for criminals to take advantage of the problem.  This isn't a case of being nice to Intel; it's an attempt to benefit Intel's customers.

If you read the Meltdown and Spectre papers (by the researchers who discovered the problem, not the news rags reporting on it) you'll see this policy mentioned in passing.  

	paul