Consumer Remedies for PC's etc subject to Spectre and Meltdown Vulnerabilities

Short and Simple - There is a separate discussion on these bugs already underway with plenty of technical and related content. Without clouding the discussion and average consumer with highly informed comment - separately what is the exact legal position here for the average Australian consumer who has a laptop, a PC, or mobile device subject to these vulnerabilities?

The technically minded have suggested that the Spectre and Meltdown vulnerabilities are due to the physical design of the processor chip. Further the vulnerabilities have been there for products that are current through to more than ten years of age.

It could be useful for us to share our thoughts on consumer remedies given the consumer situation for many of us may be without legal precedent.

  1. If you purchased a device in the previous 12 months and a complete and satisfactory remedy (IE fully resolved security with no power or other losses) is not provided in a reasonable time frame can you get your money back on return of the item? Is this the same or similar to the VW response to vehicles not meeting stated emissions?

  2. If your purchase is more than 12 moths old is the vendor or supplier off the hook to ensure firstly the vulnerabilities are remedied in a reasonable time and secondly that the remedies do not affect your use of the device?

  3. Generally the manufacturers of the many affected devices drop support of products that are as little as 12 months old but typically 24 months. Some manufacturers have no presence in Australia and sell on to a third party who may or may not exist today. Companies such as Sony sold their PC business and there is no real certainty as to the liability of the new owner who is not active in Australia. The defect is not only in the product but due to the design of the processor. The processor is a separable portion of the design. Does this then also make the processor/chip sub-system designer, manufacturer and supplier Intel being one such example also liable for remedy? Is this similar to the Takata airbag scenario?

  4. Intel for one example is saying that it will not resolve the problem directly with the end user/consumer but supply remedies to the manufacturers. Under Australian consumer law if the brand maker/manufacturer is no longer in Australia or existing, do consumers have recourse through consumer law directly to Intel or against Intel through Civil/Class action?

  5. Is it possible that the Computer Electronics Industry is so big and global, and the nature of the flaws so wide spread us poor consumers will simply be told to grin and bare it since we have also benefitted from the technology despite it’s defects? The pace of change of technology will out step any legal remedy or action? We are also still waiting for global warming to be fixed!

I can personally understand that for software and other general internet related risks a user needs to be self aware and should use Antivirus protection. Spectre and Meltdown are not in the same class nor simple obvious risks. It is painfully obvious when you consider the advice that AV cannot prevent or fix these risks. I am all the more concerned in that my two SONY PC’s have a Sony software feature that prevents my hardware from being updated by any one other than Sony! If Intel did supply a fix to me directly I’m assuming it will not be capable of being installed! I expect that many consumers will find that they will have no choice other than to upgrade their products in 12 months time when a whole new range of supposedly bullet proof solutions are made available through new products

Is this another possible future example of an industry being able to leverage advantage from consumers as a consequence of providing defective products?

4 Likes

A hijack, but the computer world is complex well beyond the comprehension of even the best hacker. An old and true story from the earlier days is that a certain software company took error reports from its customers. After a few years of steadily improving their product and making it more reliable they essentially got to an equilibrium where there were about 1200 bugs reported, and corrected, that resulted in about 1200 new bugs.

The resolution was to document the 1200 known bugs on the basis that knowing the faults in the product were better than fixing known bugs while creating new ones needing to be discovered. Hardware was once all logic but now is often firmware (eg embedded software).

The legal world struggles with it because no matter how or what, the equivalent of those 1200 known bugs reflects the reality of computing. It cannot be made perfect and error free as a practical matter. Regarding the what’s and why’s this is the case, that is another topic. If the onus on selling in any market becomes too legally onerous the manufacturers would have no realistic choice but to leave that market and thus duck liability if no rational compromise or allowance was made.

2 Likes

@mark_m, yours is a well considered and written post.

2 Likes

I agree - great post. Good questions.

Also re above - yes, more so than the VW scandal where there is quite a lot of choice in the car market, there realistically isn’t a lot of choice in the cpu fab market if Intel and AMD decided it was all too hard. One thing about the VW scandal - it was a deliberate and wilful act to specifically advantage the company by fudging code to comply with emissions figures while still retaining performance - my belief is that the chip industry had no idea 20 years ago this was a thing, probably had no idea 2 years ago - they have been blindsided by a ‘wtf’ discovery by some pretty clued up propeller-heads.

I’m writing this on a little thin single config windows thing made by HP - no bios updates for it yet and frankly I’m not fussed. When and if they come, it will be slower, and frankly I’m not fussed - because the 5% it robs me of is part of the 50++% that sits idle while I browse and play youtube videos in the background. Does the machine live up to my expectations? yes, and still will I imagine - was it falsely advertised? probably not, certainly not ‘with wilful intent’ - an after 30-something years in IT (EDP back in the day) I’m certainly jaded I’d think.

BUT - the fact most people won’t notice the problem, won’t notice the slowdown with the fix, and may never have been compromised by an exploit of either vulnerability (yet to be well defined I think) - does that mean the manufacturers shouldn’t be accountable? I think it could be argued they are being accountable already - time will tell.

There might be a small number of cases where claims were made about performance metrics that will now fall short of the bar - and those customers might see some compensation - I reckon the rest of us will apply the patches and be happy we are now ‘safe’ whatever that means, not notice our youtube running any slower and move on to the next Nick Cave video …

Still … good questions. If nothing else, its interesting and the whole thing just a little amusing :slight_smile:

2 Likes

In the ‘early days’ my rellie had a small ‘credit’ shop (eg most of his customers had ongoing credit accounts with regular as well as irregular payments) and was leading edge in moving his accounts from hardcopy to a PC class computer. When he ran his accounts program his entries were put into an input file and processed by a ‘batch update’ that took hours. After a few years of steadily improving hardware the batch run was reduced to a few minutes. Then it got to a few seconds per entry in real time instead of batch updating. Finally he said it was so fast it made no difference any more. He typed something in and whether it got processed in 1/2 second or 1/10000 second, it still looked instantaneous as a practical matter. Where there are compute intensive situations this may not be the case, for most of us.

As you so correctly wrote, if the computer can ‘serve the application’ with no discernible impact it is all academic and possibly some ‘ambo chasing’ lawyers looking for a dollar.

2 Likes

My understanding is that the manufacturer of the good is ultimately responsible for the goods even if a second party used that good in a product they produce. An example is the Takata Airbags, the car manufacturers are responsible but so were Takata and the issue has sent them bankrupt. But to go further not all AMD, ARM or Intel CPUs are bought as a component in a ready made system, some are purchased separately and installed as part of an upgrade or new build of a computer by consumers, thus Intel, ARM or AMD have a direct link to the consumer and should be responsible for the flaw they have introduced.

As I wrote in my post in the topic relating to the flaws, this would lead to a case for consequential damages, and I add not just for the replacement of the CPU but possibly the RAM, Motherboard, lost productivity, costs for labour, and software. I have just recently updated several components in my Computer and now several of them are likely to need to be replaced when a new unflawed CPU is produced, hence I am considering my legal options to recover all my costs.

@PhilT It is not perhaps the impact of time spent doing something, but rather it is the insecurity it adds to the computer. We already have flaws in our software and hardware with some of them not critical flaws and yet others are. For software flaws most providers issue patches to address them and in the case of security flaws most are patched within a short time frame of being advised of (of course some are never patched or take inordinately long to be patched). However the flaws now found to be present in the hardware are not just going to consume clock cycles to “fix” but have opened new “holes” that with the right malware will be hard to block or even recognise and as the flaw is created on hardware it by it’s nature, cannot be repaired. Yes AV engines are being updated to deal with this new threat but no one will be entirely sure of security for some time to come.

2 Likes

Having dealt with the legal types more than I ever hoped, be prepared for the depreciation aspect and ‘unfettered use and enjoyment’ to date. If your computer was $2,000 and it is 3 years old even if you are successful you could be awarded almost enough to account for your time, paid at minimum wages.

2 Likes

Yes I am also aware of the costs to my claims but in this case ACL accounts for the consequential losses I may expect and my legal costs would be part of that amount. But I am not foolishly running out to seek redress but rather am weighing all the pros and cons. The hope is that a ‘Class Action’ may be an easier and less costly route but that remains to be seen.

3 Likes

/me hides behind a small wall made from Raspberry Pi’s to watch how it all unfolds …

1 Like

I sees me a Pi firewall me hearties :slight_smile:

1 Like

Been in many of those and quite often my share of the award after expenses was less than the minimum amount they had to distribute to any single individual. My outcome was thus a letter explaining that although my direct losses were [in the order of many $100’s or $1,000’s], my share was under $10 so they were not obliged to write me a cheque, and thanks for participating.

2 Likes

For ‘some time to come’? or would that be ‘never’ as a practical matter? Not that you and others do not realise it, but security is a cat and mouse or whack-a-mole game. Since Microsoft and IBM set the standards for coding and CISC pushed RISC aside my feel is it would take a full master-clear reset to start at T0 again to get it right.

2 Likes

… where those expenses were a substantial ‘win’ for the law firm involved :slight_smile: at least you got a thank-you and the cost of postage.

I installed a pi-hole recently - primarily ad-blocking - interesting for two reasons, firstly the visibility it gives you of your network traffic, often not as available on home routers, secondly because today it tells me it is blocking 14% of my DNS queries - which by default include all the lookups for windows call home functions/etc.

1 Like

Realistically then there will be for some time many users of PC’s laptops tablets and mobiles who are at risk of having private details hacked or their devices compromised through those details. Many will not know if they have had secure information compromised. Most will not know if or when their devices are safe or still unsafe to continue to use for say - internet banking or accessing a mygov account.

The risk as defined may not be that great today. As others develop ways to exploit the design flaw the many of us left using vulnerable devices will be at significant risk. How many of the 20 million or so Australians who will have at least one device based on the current at risk designs have the ability to understand or respond. Very few I’d suggest!

In today’s technically driven environment it is beyond most of us to hide behind geekdom and hobby toys. We just want and need devices which function reliably and securely. Few of us purchased our latest tablet device, PC or smart phone on the understanding it was unreliable and insecure and totally unsafe for internet banking. Or possibly worse their home network exposed to external access?

I’d add one more question to this topic:
What are the big banks advising concerning on line banking - Is it still safe to use our everyday devices to bank on line? If not who then takes responsibility when some clever person finds a way to use one of the methods described by Spectre or Metldown to compromise a banking service, the bank, the user or the chip maker?

Perhaps this is all a bad dream and the risks are purely imaginary. There really is no one clever enough to create a tool to take advantage of the method. If this is correct why bother patching all those cloud/virtual servers?

Caution- tech content
As for CPU-processor and system designers not understanding or creating the problem consciously - the need to limit the ability of code to make calls and references to data inside of a closed environment (reference range) has been long accepted as essential for reliable and safe/secure operation. That it was not supposedly foreseen with respect to Spectre and Meltdown is independent of whether these events could have been foreseen.

4 Likes

Oh I agree that security will never be faultless. Though not everything in security is reactionary some of it is preventative foresight and planning, the more proactive and cautionary we get the more secure we can be. In this particular instance there are “fixes” that can be and are being deployed. Some of these fixes will require new hardware. I think, that at some point of time those particular holes will have been patched for now and many will breathe a sigh of relief and will have not so fond memories of the day when…and by then we/they will be cursing at least one new one and probably many more than one.

I feel that anything that is used to interact with the web and provide a wide selection of experiences by it’s nature will have holes, some of which will be security nightmares but that are meant to be there, others will be innocent oversights and yet others will be the result of negligence and/or hubris. Quantum computing will add another layer of complexity that I shudder at the thought of what could and will happen, the can that holds the worms continues to provide even more holes for the critters to wriggle out of.

3 Likes
2 Likes

I’ll be sure to raise this with my colleagues in content and investigations. Thanks for starting the discussion @mark_m :thumbsup:

2 Likes