Surprises, and not

Sunday, 24 Jul 2005

Colin Percival about his discovery of the side-channel vulnerability of hyper-threading:

The prize for most professional response goes to SCO. […] Out of all the members of the Linux vendor security list, SCO was the first to request further details [and] to respond back with detailed and intelligent questions; when I asked for vendor statements, they were the first (and only Linux) vendor to respond; and they published an advisory only a few hours after the embargo on the issue ended.

The prize for most corporate attitude goes to Intel. […] I would ask questions (e.g., Would it be possible for you to produce a microcode patch as follows[…]), and the reply would invariably be “I’m sorry, but I’m not allowed to talk about that.” Worse, once it became clear that my recommendation – and FreeBSD’s response – was going to be to disable hyperthreading by default, Intel shifted completely into damage control mode, discarding all attempts at a reasoned security-centric response in favor of treating this simply as a public relations exercise.

The prize for most personally helpful goes to Mike O’Connor of SGI. […] when I explained to him the difficulties I was having with Intel, he took advantage of the established channels that SGI had, by virtue of being a large customer, to remind Intel that it was important to talk to people who discover security vulnerabilities.

The prize for least communicative goes to Microsoft. I was very amused recently to read the following in a story on eweek.com:

We respond immediately to the initial vulnerability report and provide the researcher with contact names, e-mail addresses and phone numbers. We make it clear we want to work closely with the researcher to pinpoint the problem and get it fixed. […]”, [MSRC program manager Stephen Toulouse] said.

My experience with Microsoft was quite the opposite. When I first reported this vulnerability to Microsoft, I was thanked, given a ticket number (5834), and told that it would be handled by “Christopher” – no last name, no phone number, and no direct email address. […] in fact, they ignored all my attempts at cooperation. […] Even now, a month after I published the details of this vulnerability, I have received no communication from Microsoft to say if – let alone how – they intend to respond to this issue.

Finally, the head in the sand prize goes to Linus Torvalds. On Monday, May 16, three days after I published all the details of my attack, Linus wrote that he would “be really surprised if somebody is actually able to get a real-world attack on a real-world pgp key usage or similar out of it (and as to the covert channel, nobody cares). It’s a fairly interesting approach, but it’s certainly neither new nor HT-specific, or necessarily seem all that worrying in real life.” I really don’t know where to start with this, except perhaps to say that I’m very glad that Linus isn’t responsible for keeping my computer secure.

Now, two of the responses were perfectly in character, and another was unsurprising. But the other two were completely unexpected.

You should never think you know anyone too well. Except when you do.