Are we going to prosecute all long-tail problems in any product? Often it takes years or decades to unveil a problem and changing a chip design is multi-year task. So even if Intel knew AVX could lead to attacks, a timely fix might not have been possible.
Realistically, no. Security is not a feature people are dying to pay for, it's just overhead. Look at Experian, on the front page again, still insecure. It's cheaper to make the defective product and say you're a little sorry, now and then.
Isn't this sort of what the lawsuit is for, though? Even if it's cheaper to make the initial defective product and say you're sorry after, if the sorry is both guaranteed (prosecuting even the long tail) and large enough, then hopefully at some point it raises the overall cost to the point where it's now cheaper to build things correctly.
Are we really going to essentially outlaw releasing buggy software now? And taking down software and services once a security issue has been found? Because I don't think any software I wrote was ever 100% bug-free.
Their decision not to fix is not the problem, their decision to keep the flaw a secret and sell products with a performance expectation set and then release patches that slow down that paid for performance is.
Anyone who needs out-of-the-box performance can get it if they're willing to accept out-of-the-box security. Of course that doesn't make these side-channel attacks any less frustrating. For instance the original Meltdown and Spectre attacks were on my mind when I chose to "vote with my dollar" and buy an AMD CPU, only to end up with Zenbleed this year lol
They shouldn't have to accept OOB security flaw that was not disclosed intentionally at the time of purchase. If intel just made that information public when they found out, your argument would be valid. They could have also purchased different processors.
Speculative execution was what made CPUs fast. That some creepy people use it for hacks is another story. Are we going to end up with super slow CPUs with super hard security in the end? As there is a trade-off between speed and security, so pick one or the other. I would rather have a fast CPU than one that prevents hacking in some narrow scenarios. Cloud operators might have another view, but why should I be punished for scenarios that won't ever happen on my laptop?
As someone who has used computers since the early '90s even if you take away speculative execution CPUs are still ridiculously fast. The problem is that people are doing very slow stuff on them (Python, Electron, layers upon layers of abstractions) and only getting away with it due to (sometimes) dangerous hacks.
Let's look at a random processor, like, say, the Intel Pentium G3420. A budget CPU released in December 2013 (coming up on its 10th birthday), it's a duo core CPU with a 3.2 GHz clock speed. Now I don't know what your usecase is, not many problems are nicely parallelizable, however at the scale we're talking it doesn't really matter that much. Because 3.2 billion instructions is a really big number. Now don't get me wrong, a million is also a quite sizable number; while 1 dollar won't even buy you a loaf of bread a million dollars will buy you a real fancy house, but a billion goes even beyond that. For example if you live to be 85 years old and from the moment you are born until the moment you pass away you do a thousand calculations per hour, every hour of the day, every day of every year, you will have done 750 million calculations. That's less than a quarter of what that ancient budget CPU does _per second_.
Unfortunately some people, when given access to such power, have a tendency to abuse it. And that's what leads us to things like a chat app taking 9 seconds to launch.
It was only part of what made them fast and they should absolutely have told their clients what the price for that performance increase was. Choice is fine but it has to be a an informed one.
