MWL: I saw advisories from SCO and from FreeBSD, but I'm sure you contacted other vendors: Microsoft, Sun, Red Hat, SGI, and so on. How did people react; did they take you seriously or blow you off? How did they work with you? I'm especially curious about how Intel reacted to being told that there is a basic problem with their design.
CP: In general, I had no trouble convincing security people to take this problem seriously. As one person put it, "Anything which comes from the FreeBSD Security team immediately has an air of credibility to it," and while I was reporting this problem in my personal capacity as a security researcher, the fact that I am part of the FreeBSD security team certainly helped. Beyond that, the individual reactions were quite different; but rather than addressing each vendor's response individually and in detail, which would take many pages, I'll just give the highlights--in the form of awards for exceptional performances.
The prize for most professional response goes to SCO. I must admit to having been rather surprised by this, in light of the public disagreements between SCO and the free software community, but SCO's response to this issue was really quite superb. Out of all the members of the Linux vendor security list, SCO was the first to request further details after I posted to indicate that there was a problem; they were the first to respond back with detailed and intelligent questions; when I asked for vendor statements, they were the first (and only Linux) vendor to respond; and they published an advisory only a few hours after the embargo on the issue ended.
The prize for most corporate attitude goes to Intel. I had some trouble establishing contact with them in the first place--not that I can assign much blame for this, since Intel, unlike operating system vendors, has not had much experience in dealing with security flaws--but even once I found someone who was willing to talk to me, our conversations were rather less than useful: as a general rule, I would ask questions (e.g., Would it be possible for you to produce a microcode patch as follows ... or How about making the following changes in future processors ...), and the reply would invariably be "I'm sorry, but I'm not allowed to talk about that." Worse, once it became clear that my recommendation--and FreeBSD's response--was going to be to disable hyperthreading by default, Intel shifted completely into damage control mode, discarding all attempts at a reasoned security-centric response in favor of treating this simply as a public relations exercise.
The prize for most personally helpful goes to Mike O'Connor of SGI. As little communication as I had with Intel, I'm sure I would have had even less were it not for Mike's help: when I explained to him the difficulties I was having with Intel, he took advantage of the established channels that SGI had, by virtue of being a large customer, to remind Intel that it was important to talk to people who discover security vulnerabilities.
The prize for least communicative goes to Microsoft. I was very amused recently to read the following in a story on eweek.com:
"We respond immediately to the initial vulnerability report and provide the researcher with contact names, e-mail addresses and phone numbers. We make it clear we want to work closely with the researcher to pinpoint the problem and get it fixed. We commit to providing [researchers] with a progress report on the Microsoft investigation every time they ask for one," [MSRC program manager Stephen Toulouse] said.
My experience with Microsoft was quite the opposite. When I first reported this vulnerability to Microsoft, I was thanked, given a ticket number (5834), and told that it would be handled by "Christopher"--no last name, no phone number, and no direct email address. Later the issue was transferred to "Brian"--but again, no contact information was provided. Despite comments from multiple third parties that Microsoft was "very concerned" and had "several people" working on this issue, Microsoft did not "make it clear they wanted to work closely" with me--in fact, they ignored all my attempts at cooperation. Finally, when I sent emails to Microsoft asking for a progress report, I received no response. Even now, a month after I published the details of this vulnerability, I have received no communication from Microsoft to say if--let alone how--they intend to respond to this issue.
Finally, the head in the sand prize goes to Linus Torvalds. On Monday, May 16, three days after I published all the details of my attack, Linus wrote that he would "be really surprised if somebody is actually able to get a real-world attack on a real-world pgp key usage or similar out of it (and as to the covert channel, nobody cares). It's a fairly interesting approach, but it's certainly neither new nor HT-specific, or necessarily seem all that worrying in real life." I really don't know where to start with this, except perhaps to say that I'm very glad that Linus isn't responsible for keeping my computer secure.