Chinese X86 CPU on it's way - The Zhaoxin’s KaiXian KX-6780A

[realpetertdm]

Another big problem if you buy this CPU (outside of china) is customer service. What are you supposed to do if you encounter a problem? Intel and AMD CPUs have existed for a while so there are tons of troubleshooting guides and fixes known to the public, but with this one you're essentially alone unless you're fluent in chinese.

 

Also, RMA's going to be absolute shit, so if you get a defective product or something.... good luck!

 

 

[williamcll]

@porina @wkdpaul That price must be including overseas tax and shipping fees, because according to taobao priced at 4300RMB (490 USD)

 

 

I mean if you are worried about backdoors you could always wait for the reviews that look for what data gets out of the computer.

 

Source: https://item.taobao.com/item.htm?id=611411075104

 

 

[Bombastinator]

4 hours ago, realpetertdm said:

Another big problem if you buy this CPU (outside of china) is customer service. What are you supposed to do if you encounter a problem? Intel and AMD CPUs have existed for a while so there are tons of troubleshooting guides and fixes known to the public, but with this one you're essentially alone unless you're fluent in chinese.

 

Also, RMA's going to be absolute shit, so if you get a defective product or something.... good luck!

 

 

It’s still at engineering sample level.  Your statement make sense.  It would need a support system to be put in place for export.  It sounds like they’re still working on an even first production ready version though.  I don’t see these hitting even in China for close to a year, which means likely several years before world wide export would even be viable.  

[Bombastinator]

38 minutes ago, williamcll said:

@porina @wkdpaul That price must be including overseas tax and shipping fees, because according to taobao priced at 4300RMB (490 USD)

 

 

I mean if you are worried about backdoors you could always wait for the reviews that look for what data gets out of the computer.

 

Source: https://item.taobao.com/item.htm?id=611411075104

 

 

The problem with that though is it could still be changed at any time with a software update.  One would have to not only be vigilant at the start, but continue to be equally vigilant with each update.   Anything released as a binary would be suspect. 
they could do it by releasing source for any updates that could be read and independently compiled.  Huwai could do that too for its stuff.

 

This whole security issue can be gotten around.  It requires making adjustments though.  Also China could (and possibly should) rightly demand the same in return. 

[williamcll]

41 minutes ago, Bombastinator said:

The problem with that though is it could still be changed at any time with a software update.  One would have to not only be vigilant at the start, but continue to be equally vigilant with each update.   Anything released as a binary would be suspect. 
they could do it by releasing source for any updates that could be read and independently compiled.  Huwai could do that too for its stuff.

 

This whole security issue can be gotten around.  It requires making adjustments though.  Also China could (and possibly should) rightly demand the same in return. 

Software wise you could just run regular non-Mainland Linux 

[Bombastinator]

3 minutes ago, williamcll said:

Software wise you could just run regular non-Mainland Linux 

Doesn’t solve low level stuff.  Bios updates and stuff.  Basically all the same reasons the Chinese are building this thing in the first place.  If it’s a reasonable thing to do it’s reasonable it go both ways.  The hard coded internal CPU stuff could be looked at.  Batches of hardware would have to be verified.  It’s doable though I think.

 

What the world need is some sort of independent verification system that can keep manufacturer secrets.  Some sort of company that specializes in special master status.  Something Swiss maybe.  They’ve got a good rep for such things.

[desertcomputer]

On 1/31/2020 at 12:23 AM, wkdpaul said:

but I'm not sure I would trust a Chinese company not to insert some spyware in the core of the thing

I mean, Intel already have know backdoor/spyware (Intel Management Engine). IMO, any backdoor access are bad and shouldn't be created in first place.

[Kisai]

3 hours ago, desertcomputer said:

I mean, Intel already have know backdoor/spyware (Intel Management Engine). IMO, any backdoor access are bad and shouldn't be created in first place.

The purpose of the IME is enterprise management because the enterprise owns the hardware and needs it for deployment and asset tracking. It can track employees who are stealing or using the bathroom but you're only going to find that by doing dragnet fishing for it.

 

eg. Let's say you are the IT manager of a company with 100,000 employees. You give everyone the same Dell Latitude 4000V 2-in-1 , and because it has VPro features on it, it has out-of-band management built into the CPU. So because these have both wired and wireless network adapters, it can be probing for network connectivity even when it's powered off. 

 

Now, consider the following

 

Scenario 1. You shipped out 100,000 laptops, but after 4 months, you're finding that 10% of them have not registered on the enterprise network even once, so you pull up the asset tracking software and what do you think happened?

a) 10,000 laptops were "lost"

b) 10,000 laptops were not deployed, they're sitting in a warehouse

c) 10,000 laptops are deployed but they're some place with no network connectivity (eg Alaska, Antarctica, mid-west US and Canada, etc)

 

Now, if the devices had 3G or LTE modems, you could actually track them using GPS if they are being used, but since zero of them were deployed as such, you have to fall back to a general inquirty to see when the devices last checked in. So these 10,000 devices never once checked in. That means A or B is possible. So you have to send someone out there to check the warehouse, if they're not there, either Dell didn't deliver them, or they were stolen in transit.

 

Scenario 2. Your company fired someone who has a lot of access to the company's digital assets, maybe they're a spy, maybe they're just incompetent. They didn't immediately return their laptop. So you, as the IT person are told to disable or destroy the laptop at any cost. So you put out a "self-destruct upon check-in" command into the management queue, and the next time that laptop checks in or connects to the internet, it initiates a wipe of the SSD. Poof.

 

The reality is, that I doubt most companies make use of the IME features because they cost money to use, and the cost of hiring and retaining people who know what the heck they are doing is more expensive than losing a laptop full of financial or medical information on your customers. We've literately seen this.

 

2018 https://www.cbc.ca/news/canada/north/nwt-health-data-breach-laptop-stolen-1.4726891

2014 https://www.cbc.ca/news/canada/edmonton/laptop-stolen-with-health-information-of-620-000-albertans-1.2507161

 

2018 https://www.healthcareitnews.com/news/data-43000-patients-breached-after-theft-unencrypted-laptop

2013 https://www.hipaajournal.com/stolen-laptop-exposes-57k-patients-records-hipaa-security-breach/

 

and so on.

 

Now, to be fair, the companies do offer encryption software, however next-to-nobody uses it because they've moved to "cloud based" data management, so even if the machine is lost, the machine only acts as the key, not the door. Yet... https://9to5mac.com/2020/01/21/apple-reportedly-abandoned-end-to-end-icloud/ , wherever the data is stored, is not physically secure.

 

So a "backdoor" laptop only serves to spy on the person using the laptop, so if that users uses passwords, then all the keyboard strokes may be recorded and sent to a remote server (and yes this can be done with the Intel CPU IME too.)  So what you really want is to step away from user-input based credentials and move towards biometrics or smartcard/key's so that even if the smartcard is removed, you can't emulate the card, the card generates crypto keys, to unlock doors, it can't be emulated (or at least can't be emulated without re-creating the initial conditions) This is why when Google and Samsung rolled out earlier versions of NFC payment that simply aimed to emulate the smart card I was like "that is a terrible security risk" , you do not want that smart card being emulated, you want that to be physically removed from the device so it can't be piggybacked.

 

The thing is, having the best security just makes things extremely difficult and privacy-invasion hell, where as having the minimal security makes things fast and efficient, but one mistake just cascades into a lot of things being broken. In a high security system, one failure usually kicks you out, and you have to go through a lot of different layers to make stuff work again, it's nuts.  So either you have a lot of overhead managing security, or a lot of clean up if you don't.

 

Personally, I would not buy Chinese-market devices (eg anything labeled Huawei) because of how Chinese companies are basically told they must work with the government to spy on their own people. I would not put it past the CIA and FBI to do the same with domestic American companies, but clearly not every company in the US has it's eyes on the same goals. Apple as an example above abandoned end-to-end encryption because it was just too much of an inconvenience for customers (at least regular customers, maybe it exists for government staff.) That tells you one thing, if you don't want the government to be able to spy on you at all, you store everything on the phone and hope you never lose it, because the backup will be the weakness.

[JoostinOnline]

On 1/31/2020 at 10:43 PM, Bombastinator said:

The deal is it’s VIA.  They actually used to be a chip maker.  There was a Russian one too or something that did it by emulation.They had some sort of thing where they lost a lawsuit and had to sit in their hands until a patent ran out but when it did(will?) theyre all good again.  Via always specialized in low end very low power laptop stuff.  Did some of the first ultrabooks though they weren’t called that then.

Thanks, didn't know that.

On 1/31/2020 at 11:44 PM, Dabombinable said:

This is China. They really don't care at all (that's why for example the iPhone branded handbags still exist).

Well my question wasn't "Would someone in China really break patent laws?", I was asking whether or not it did. Mainly because I was curious if it could be sold in other countries.

[Bombastinator]

19 hours ago, JoostinOnline said:

Thanks, didn't know that.

Well my question wasn't "Would someone in China really break patent laws?", I was asking whether or not it did. Mainly because I was curious if it could be sold in other countries.

I got more data on that one.  I was partially wrong.  The “Russian one” was actually American.  Transmeta.  I thought Russian because I remember watching a video interview and the person in the interview had a Russian accent.  They did very low power chips too.  
Via has remained a chip maker.  They just don’t make many CPUs since 2011 or something.