undefined | Better HN

0 pointsjosh26005y ago0 comments

This is a thing I think people constantly underestimate... Intel's cores are not necessarily dramatically more broken than everyone else's chips, they just pay for more auditing and public research.

0 comments

17 comments · 5 top-level

staycoolboy5y ago· 4 in thread

> they just pay for more auditing and public research.

Who is Intel paying to audit their chips?

doytch5y ago

Anyone who wants to report something via their bug bounty program.

https://www.intel.com/content/www/us/en/security-center/bug-...

viraptor5y ago

Auditing/public research and bug bounties are not really the same category.

dijit5y ago

Famously, telegram has a bounty program- but was widely criticised for it, and for not doing a formal audit.

Criticisms here: https://news.ycombinator.com/item?id=6940665

I don’t doubt that they have more independent security analysis than just the bounty program; but using it as an argument that they’re paying people is not realistic.

staycoolboy5y ago

Bug bounties are very different than auditing. In an audit, there is a contract in place with specific analysis objectives based on agreed-upon criteria. I find it unlikely anyone in the industry would have more experience than Intel about CPU manufacturing, although there might be security consulting firms that are advanced enough to merit a real corporate NDA. But given the breadth and depth of their IP, even that seems unlikely.

But I would still really be interested to know who Intel hires to audit their products, if this is true. I'd like to do that kind of work.

yjftsjthsd-h5y ago· 3 in thread

> they just pay for more auditing and public research.

Did Intel finance the research that turned up any of the major headline vulnerabilities over the last few years (meltdown, spectre)?

ENOTTY5y ago

A quick survey of the papers published in 2019 and later (i.e., post Meltdown/Spectre, inclusive) listed at [1] indicate that Intel contributed financial support to the majority of them. ARM was the second-most corporate contributor, followed by AMD.

[1]: https://gruss.cc/

monocasa5y ago

They did not.

Polylactic_acid5y ago

It was a Google researcher mostly.

1 more reply

unethical_ban5y ago· 3 in thread

This is very much an opinion, not a fact. "Intel is only in trouble because they got caught, AMD is surely incompetent as well, but hasn't been found out".

google2341235y ago

A google scholar search for "amd security" turns up less than 100k results while a search for "intel security" has <2 million results.

ACow_Adonis5y ago

ok, but what's the ratio of the number of Intel cpus running on something worth hacking compared to the number of amd CPUs?

2 more replies

pankajdoharey5y ago

I dont think it has much to do with competence, the order of complexity in these chips are reaching super human levels of intellect to decipher. Finding vulnerabilities is hard but safeguarding against them is even harder. Take 'spectre' for instance, it is a fundamental problem with the speculative architecture can't really get rid of it.

oblio5y ago· 2 in thread

Even if they wouldn't, I imagine the exposure is enough. Windows, Android, Linux probably have more eyes on them than all the other software in the world, combined.

ReverseCold5y ago

"If you want half the world's hackers to audit your code, put it in an Apple product. If you want all the world's hackers to audit your code, put it in a Nintendo product."

xen2xen15y ago

Please tell me where this came from, and that it's not just something you made up?

1 more reply

nemothekid5y ago

The most "broken" thing about Intel's chips was discovered by Google

j / k navigate · click thread line to collapse

0 comments

17 comments · 5 top-level

staycoolboy5y ago· 4 in thread

> they just pay for more auditing and public research.

Who is Intel paying to audit their chips?

doytch5y ago

Anyone who wants to report something via their bug bounty program.

https://www.intel.com/content/www/us/en/security-center/bug-...

viraptor5y ago

Auditing/public research and bug bounties are not really the same category.

dijit5y ago

Famously, telegram has a bounty program- but was widely criticised for it, and for not doing a formal audit.

Criticisms here: https://news.ycombinator.com/item?id=6940665

I don’t doubt that they have more independent security analysis than just the bounty program; but using it as an argument that they’re paying people is not realistic.

staycoolboy5y ago

But I would still really be interested to know who Intel hires to audit their products, if this is true. I'd like to do that kind of work.

yjftsjthsd-h5y ago· 3 in thread

> they just pay for more auditing and public research.

Did Intel finance the research that turned up any of the major headline vulnerabilities over the last few years (meltdown, spectre)?

ENOTTY5y ago

[1]: https://gruss.cc/

monocasa5y ago

They did not.

Polylactic_acid5y ago

It was a Google researcher mostly.

1 more reply

unethical_ban5y ago· 3 in thread

This is very much an opinion, not a fact. "Intel is only in trouble because they got caught, AMD is surely incompetent as well, but hasn't been found out".

google2341235y ago

A google scholar search for "amd security" turns up less than 100k results while a search for "intel security" has <2 million results.

ACow_Adonis5y ago

ok, but what's the ratio of the number of Intel cpus running on something worth hacking compared to the number of amd CPUs?

2 more replies

pankajdoharey5y ago

oblio5y ago· 2 in thread

Even if they wouldn't, I imagine the exposure is enough. Windows, Android, Linux probably have more eyes on them than all the other software in the world, combined.

ReverseCold5y ago

"If you want half the world's hackers to audit your code, put it in an Apple product. If you want all the world's hackers to audit your code, put it in a Nintendo product."

xen2xen15y ago

Please tell me where this came from, and that it's not just something you made up?

1 more reply

nemothekid5y ago

The most "broken" thing about Intel's chips was discovered by Google

j / k navigate · click thread line to collapse