Intel CEO Brian Krzanich published an open letter pledging an increased commitment to security, transparency, and collaboration.
Whether or not your view of Intel has been changed by the Meltdown/Spectre issue, we can probably all agree that Intel’s best option is come clean on the blunder. To that effect, Krzanich’s letter might be signaling at least some change to the way Intel does things.
Krzanich highlights Google’s involvement in discovering Meltdown/Spectre and also commits Intel to increased industry collaboration, at least on security matters.
To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.
Intel is also committing to greater transparency on the performance impact of the Meltdown/Spectre patches. It recently chose to publish its own benchmarks and said that more would be coming. Towards its patching efforts, Intel says all affected CPUs will have fixes by the end of January, but it didn’t commit to changing its strategy here.
This is already the second major security issue requiring large-scale patch deployment by Intel within three months, the first being the Intel ME issue. Doubtlessly, many systems still and forever will remain vulnerable to both these issues because they’re too old to patch or are simply forgotten about. Intel should more actively push its partners to release patches and release more comprehensive vulnerability detection tools which also tell customers where to get updates.