Sympa l'article.

" Gruss recalls telling Fogh that the chipmakers would have uncovered such a glaring security hole during testing and would never have shipped chips with a vulnerability like that."

"Despite Fogh’s encouragement, the Graz researchers still didn’t think attacks would ever work in practice. "That would be such a major f*ck-up by Intel that it can’t be possible," Schwarz recalled saying. "

Avec le passage dont parle Tchou :

[i]"The Graz team’s attitude quickly changed, though, as summer turned to fall. They noticed a spike in programming activity on their KAISER patch from researchers at Google, Amazon and Microsoft. These giants were pitching updates and trying to persuade the Linux community to accept them -- without being open about their reasons sometimes.

“That made it a bit suspicious,” Schwarz said. Developers submitting specific Linux updates usually say why they’re proposing changes, "and on some of the things they didn’t explain. We wondered why these people were investing so much time and were working on it so hard to integrate it into Linux at any cost."

To Schwarz and his fellow researchers, there was only one explanation: A potentially much bigger attack method that could blow open these vulnerabilities, and the tech giants were scrambling to fix it secretly before every malicious hacker on Earth found out."[/i]

...pas que...

In one case, Amazon found that a patch increased the time it took to run certain operations by about 400 percent, and yet the cloud leader was still lobbying that every Linux user ought to take the fix

On Dec. 3
[...]
The team told Intel the next day -- around the same time Cyberus informed the chip giant. They heard nothing for more than a week. "We were amazed -- there was no response," Schwarz said.
[...]
On Dec. 13, Intel let Cyberus and the Graz team know that the problems they found had already been reported by Horn and others. The chipmaker was initially reluctant to let them contribute.
[...]
Once inside the secret circle of the large tech companies, the Graz researchers expected they would have the typical 90 days to come up with comprehensive fixes before telling the world. "They said we know it, but will publish it at the beginning of January," Schwarz said. It had been roughly 180 days since Google unearthed it, and keeping such issues under wraps for more than 90 days is unusual, he noted.

Clairement, c'est "ils font chier ces cons d'universitaires à nous emmerder sous le fallacieux prétexte qu'ils ont écrit le fix qu'on modifie pour lui faire prendre en compte bien plus de choses, on gère très bien ça entre nous".
Et je commence à me demander si sans cette panique du 2 janvier due à des journalistes on aurai eu un tel branle-bas-de-combat. Je commence à me demander si le but n'était pas de patcher plus ou moins silencieusement le truc. Que ça ai fait les gros-titres semble avoir été un accident.