More Intel leaks.. this one is not good though

[Liltrekkie]

1 minute ago, MadyTehWolfie said:

Well idk what to do. This is pretty confusing for someone who doesn't dabble in the software side of things. If going with a AMD CPU will make my desktop secure I guess I'll just use steam on my PC and nothing else and hope my PC doesn't get raped by a hacker.

The software patch will secure your system from Meltdown, youll take a minor performance hit of about 3 FPS in games but that's it. Microsoft and linux already issued patches to fix the issue in software.

[LAwLz]

10 hours ago, MadyTehWolfie said:

When I get the money I'm thinking of getting top tier thread ripper hopefully it's better then my 6700k. I'm sure it is but I haven't kept up with and CPUs as I haven't wanted one ever till now.

Think Jay said that hackers couldn't do anything with the amd CPU unless they have physical access to my PC. Since my PC is in my house fat chance of that happening.

Yes, and I have been asking for a source to that claim and so far I have not gotten one. Don't blindly believe what Jay says. He is not knowledgeable when it comes to operations systems, security, programming nor CPU architectures.

 

6 hours ago, MadyTehWolfie said:

Well idk what to do. This is pretty confusing for someone who doesn't dabble in the software side of things. If going with a AMD CPU will make my desktop secure I guess I'll just use steam on my PC and nothing else and hope my PC doesn't get raped by a hacker.

Basically, everything is vulnerable. How much and what variant depends on which specific chip you are talking about, but in general everything is unsecure. Even GPUs (this is from Nvidia but if their GPUs are vulnerable then I don't see any reason to assume AMD GPUs are safe).

It is important to note that going with one brand over another does not make you safe. Do not assume your computer is safe just because it has processor X or processor Y, especially not now as patches are starting to roll out. Which brand is the "safest" can change from one day to another.

 

As it stands right now, the unpatched holes appear to be hard to pull off, so all platforms that have received patches could be seen as low-risk (again, for now) if you ask me.

[Urishima]

One of the guys over at r/sysadmin posted a pretty approachable description of both Meltdown and Spectre:

 

https://ds9a.nl/articles/posts/spectre-meltdown/

 

Fun times for those of us working 2nd tier at MSPs who have performance SLAs to meet. The performance impact of the fixes could be enough to have to either convince our customer to increase their budget to buy beefier hardware (or provision the VMs their App runs on with more resources, as is probably more common these days than bare metal), OR to accept the performance decrease and renegotiate performance SLAs.

[WnDTech.Tips]

might be worth a read for those trying to update.

CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibility : Sheet1

 

https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true

 

there ya go.

[MadyTehWolfie]

10 hours ago, LAwLz said:

Yes, and I have been asking for a source to that claim and so far I have not gotten one. Don't blindly believe what Jay says. He is not knowledgeable when it comes to operations systems, security, programming nor CPU architectures.

 

Basically, everything is vulnerable. How much and what variant depends on which specific chip you are talking about, but in general everything is unsecure. Even GPUs (this is from Nvidia but if their GPUs are vulnerable then I don't see any reason to assume AMD GPUs are safe).

It is important to note that going with one brand over another does not make you safe. Do not assume your computer is safe just because it has processor X or processor Y, especially not now as patches are starting to roll out. Which brand is the "safest" can change from one day to another.

 

As it stands right now, the unpatched holes appear to be hard to pull off, so all platforms that have received patches could be seen as low-risk (again, for now) if you ask me.

Wasn't saying it was fact. All I said was based on what he said if true there's a fat chance of that happening. Can't really provide a source other then Jay when that's where I got that info. Untill someone offers more info I'll be going off what he says as he has sources for his info from the vendors ect. Tell you what I'll send Jay a message and ask for his sources just for you. ?

[MadyTehWolfie]

13 hours ago, Liltrekkie said:

The software patch will secure your system from Meltdown, youll take a minor performance hit of about 3 FPS in games but that's it. Microsoft and linux already issued patches to fix the issue in software.

Probably won't see a hit in fps. I don't play above 60hz on my X34 so my CPU never saw 100% utilization when playing games. If I OC'd my panel maybe if see a few fps drop but even that is barely noticeable. I'm more worried about system security then anything else.

[luigi90210]

5 hours ago, MadyTehWolfie said:

Wasn't saying it was fact. All I said was based on what he said if true there's a fat chance of that happening. Can't really provide a source other then Jay when that's where I got that info. Untill someone offers more info I'll be going off what he says as he has sources for his info from the vendors ect. Tell you what I'll send Jay a message and ask for his sources just for you. ?

jay linked his sources in his video in the description 

[LAwLz]

13 hours ago, luigi90210 said:

jay linked his sources in his video in the description 

@MadyTehWolfie

OK so I decided to look up the sources he used for the video.

 

Here is what the original source says:

Quote

Daniel Gruss, from the Graz University of Technology, was one of the researchers who uncovered the issue, alongside academic colleagues, Google Project Zero's Jann Horn and employees of German cybersecurity firm Cyberus Technology. He told Forbes that the researchers "only have proof-of-concept code for local attacks." That meant, in the real world, an attack would require the intruder to have found a way onto the computer first. A typical cyberattack, such as a phish that installs malware, would be a likely entry point, though it's unknown if any malicious individual has attempted to carry out the hack.

 

Again, I don't know Jay's specific words, but if he says that an attacker needs physical access to your computer to carry an attack out then he is dead wrong, and so is anyone who believes him.

 

What the researcher actually says is that the published code which can be used to carry out an attack is something which needs to run locally on the computer. Like the article points out (maybe Jay skipped this part) is that if the code ends up on your computer somehow (security hole in another program, malware, or any other point of entry) then it can be executed, with or without the presence of a person at your computer.

Saying that a person needs physical access to your computer for this exploit is equally wrong to saying that you can't be infected by a Trojan horse, because it requires local access.

 

Now if people could stop spreading this misinformation that would be great. You are giving people a false sense of security.

The code that is already published (new code which does remote attacks might be possible, it's just that it hasn't been written yet) needs to run locally at the machine. It does not require physical access to the computer.

 

 

Remember what I said back in this post? I am 99% sure that's what is happening here.

On 1/8/2018 at 12:42 AM, LAwLz said:

Have you ever played that game where you whisper a word, and it passes from person to person? That's basically what happens with info right now.

Person 1 says something accurate.

Person 2 hears it, and retells it to other people, using slightly modified words.

Person 3 hears what person 2 says, doesn't fully understand it but decides to retell it anyway using their own words.

Person 4 listens to person 3, but don't understand it fully, but feels like repeating it anyway (although the parroting is not 100% accurate).

Person 5 now gets info from person 4, but the info is completely warped and twisted compared to what person 1 said.

 

That's why there is so much misinformation going around. Because none of person 2 to 5 stopped and though "maybe I shouldn't talk about things I don't understand".

Daniel Gruss is person 1.

Forbes is person 2.

Jay is person 3.

You are person 4.

Anyone reading your post on this forum will be person 5.

[porina]

Some randomness from out there: claim that a Haswell microcode fix impacts stability and reduces performance.

http://www.overclock.net/t/1645289/haswell-microcode-22h-vs-23h-security-spectre-performance-and-stability-differences

Maybe I'm being blind, it isn't clear even what hardware platform was used for this testing.

 

At least from that thread, was a link to Asus' position on firmware updates:

https://www.asus.com/News/V5urzYAT6myCC1o2

It looks like they will only be updating 6th generation onwards, so you're out of luck if you're still running systems older than that.

 

My position on this mess has been that I'm willing to prioritise performance over security. Now if stability is also impacted, we're reaching a point where the cure might be worse than the disease. I hope that in both the cases of MS patches, and now also the microcode updates, they're essentially rushed especially now that everything is blowing up. Maybe give them an iteration before actually applying it to critical systems.

[JuztBe]

Yup, just as Intel said, performance hit will be barely noticable. 
http://steamcommunity.com/games/NexMachina/announcements/detail/1583444307645115385

[LAwLz]

1 hour ago, JuztBe said:

Yup, just as Intel said, performance hit will be barely noticable. 
http://steamcommunity.com/games/NexMachina/announcements/detail/1583444307645115385

They never said that...

 

Here is Intel's official comment on performance:

Quote

Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

That sentence contains three statements.

1) The performance hit is workload dependent - This is true and has been validated over, and over, and over again.

2) For the average consumer the impact will be minimal - This is also true. There are now several independent benchmarks showing very little, if any, performance difference in common PC tasks like gaming, web browsing, video encoding, movie watching and so on. The average user does not run a server farm.

3) Later patches will reduce the performance decrease - Not sure if that is true but we will see.

[MadyTehWolfie]

4 hours ago, LAwLz said:

@MadyTehWolfie

OK so I decided to look up the sources he used for the video.

 

Here is what the original source says:

 

Again, I don't know Jay's specific words, but if he says that an attacker needs physical access to your computer to carry an attack out then he is dead wrong, and so is anyone who believes him.

 

What the researcher actually says is that the published code which can be used to carry out an attack is something which needs to run locally on the computer. Like the article points out (maybe Jay skipped this part) is that if the code ends up on your computer somehow (security hole in another program, malware, or any other point of entry) then it can be executed, with or without the presence of a person at your computer.

Saying that a person needs physical access to your computer for this exploit is equally wrong to saying that you can't be infected by a Trojan horse, because it requires local access.

 

Now if people could stop spreading this misinformation that would be great. You are giving people a false sense of security.

The code that is already published (new code which does remote attacks might be possible, it's just that it hasn't been written yet) needs to run locally at the machine. It does not require physical access to the computer.

 

 

Remember what I said back in this post? I am 99% sure that's what is happening here.

Daniel Gruss is person 1.

Forbes is person 2.

Jay is person 3.

You are person 4.

Anyone reading your post on this forum will be person 5.

Chill your tits bro wasn't saying what Jay said was a fact for sure just that he said it. 

[NumLock21]

Got a bios update for my HP laptop

 

KB patch only

 

KB patch with bios update

[Zodiark1593]

9 minutes ago, NumLock21 said:

Got a bios update for my HP laptop

 

KB patch only

 

KB patch with bios update

The single core score is better, but multi-cpu scaling is worse? I wonder if the SMT (Hyperthreading) capability takes a hit with the patches? It could be that HT relies on some of these performance enhancing features to get the most benefit, though there's no way for me to know for sure.

[NumLock21]

Just now, Zodiark1593 said:

The single core score is better, but multi-cpu scaling is worse? I wonder if the SMT (Hyperthreading) capability takes a hit with the patches?

Probably. Ran it a few times, multi-core score stayed around the upper 400s.

[Stefan Payne]

On 1/7/2018 at 9:33 PM, LAwLz said:

AMD is also affected.

Could you please stop that FUD/Propaganda? 

That isn't true!

ARS Technica has an article about that and it shows that Zen is not really suseptible to Spectre.

 

https://arstechnica.com/gadgets/2018/01/heres-how-and-why-the-spectre-and-meltdown-patches-will-hurt-performance/

 

There is a Chapter named Zen escapes (again)

Quote

Zen's branch predictor, however, is a bit different. AMD says that its predictor always uses the full address of the branch; there's no flattening of multiple branch addresses onto one entry in the BTB. 

And it also seems that Samsung used something similar on their Exynos processors...

[mr moose]

51 minutes ago, Stefan Payne said:

Could you please stop that FUD/Propaganda? 

That isn't true!

ARS Technica has an article about that and it shows that Zen is not really suseptible to Spectre.

 

https://arstechnica.com/gadgets/2018/01/heres-how-and-why-the-spectre-and-meltdown-patches-will-hurt-performance/

 

There is a Chapter named Zen escapes (again)

And it also seems that Samsung used something similar on their Exynos processors...

What the article says aside, it's not fair to accuse someone of FUD/propaganda citing articles/evidence written 4 days later.     The discussion happens chronologically and we can only evaluate based on what we know at the time of posting.

 

Also sometimes people have different information at their disposal or just have a different opinion, this is not the same as propaganda.

 

 

[Stefan Payne]

1 hour ago, mr moose said:

What the article says aside, it's not fair to accuse someone of FUD/propaganda citing articles/evidence written 4 days later.     The discussion happens chronologically and we can only evaluate based on what we know at the time of posting.

 

Also sometimes people have different information at their disposal or just have a different opinion, this is not the same as propaganda.

 

Its not like AMDs statement on their website and to the press doesn't have any legal implications, now is it?! 

So to say that AMD is as badly affected as Intel is just FUD because of the AMD statement that was out on the 3rd of January. And nobody could prove AMD wrong, so to say that 'AMD is as affected as Intel', was a lie and FUD because not true.

 

Here the Link

https://www.amd.com/en/corporate/speculative-execution

So here what AMD said about Spectre, Variant two:
 

Quote

Variant Two

Branch Target Injection

Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date

 

Now with the added stuff, it should be clear that AMD is _NOT_ affected in any way close to how Intel is.

 

And the legal stuff:
IF AMD is wrong, its very very bad for them!

So you should trust that statement because if they are wrong, they are in serious trouble!!

 

 

 

It is fair when the Discussin started with someone saying that AMD isn't affected by that and LAwLz trying to push the narrative that AMD is affected as well as Intel - wich they are not.

 

And the ARticle I've posted is already 10 days old! So here is the starting point:

 

On 6.1.2018 at 3:35 AM, luigi90210 said:

AMD is only really vulnerable to spectre if there is physical access to the device and exploit 1 is really(its not the only one but its the easier of the 2 to run) the only exploit that can be run on AMD(which has been patched by microsoft already) exploit 2 is a lot harder to run since it requires deep intricate knowledge of where everything is stored on the cpu and what those exact addresses are, its not like the intel where addresses are stored on the chip, AMD processors do not store this information on the chip and yes it's still vulnerable to the attack, its not nearly as risky as it would be to be on an intel platform right now, if i understand this wrong please educate me on this

 

And luigi was right, LAwLz was wrong and tried to push the narrative that it was as bad as Intel on AMD processors - wich it is not and that was known at the time as well because of AMDs legally binding statement 3 days prior to luigi's post.

[ItsMitch]

11 minutes ago, Stefan Payne said:

clear that AMD is _NOT_ affected in any way close to how Intel

But they're still effected regardless, both company's was hit hard don't try and sugar coat it. I'd reply more but I'm pretty ill and doctors told me to rest.

[mr moose]

18 minutes ago, Stefan Payne said:

Its not like AMDs statement on their website and to the press doesn't have any legal implications, now is it?! 

So to say that AMD is as badly affected as Intel is just FUD because of the AMD statement that was out on the 3rd of January. And nobody could prove AMD wrong, so to say that 'AMD is as affected as Intel', was a lie and FUD because not true.

 

Here the Link

https://www.amd.com/en/corporate/speculative-execution

So here what AMD said about Spectre, Variant two:
 

 

Now with the added stuff, it should be clear that AMD is _NOT_ affected in any way close to how Intel is.

 

And the legal stuff:
IF AMD is wrong, its very very bad for them!

So you should trust that statement because if they are wrong, they are in serious trouble!!

 

 

 

It is fair when the Discussin started with someone saying that AMD isn't affected by that and LAwLz trying to push the narrative that AMD is affected as well as Intel - wich they are not.

 

And the ARticle I've posted is already 10 days old! So here is the starting point:

 

 

And luigi was right, LAwLz was wrong and tried to push the narrative that it was as bad as Intel on AMD processors - wich it is not and that was known at the time as well because of AMDs legally binding statement 3 days prior to luigi's post.

Wow, you're a bit invested in this aren't you?

 

1. Lawlz never said anything about AMD being "as badly affected"  He only said they were effected, and that is simply a truth.

2. Propaganda and FUD are intentionally spread to gain something,  what do you think Lawlz has to personally gain from discussing the information he has on a forum?

3. his post was made 4 days before your article was published.  the fact it's 10 days old now doesn't change anything.

 

You are making a mountain out of a mole hill, a rather irrelevant one at that.  An to be quite honest by claiming AMD are not effected you are lying.

 

 

 

 

 

[Stefan Payne]

2 minutes ago, mr moose said:

1. Lawlz never said anything about AMD being "as badly affected"  He only said they were effected, and that is simply a truth.

Yes, if you want to push the pro-Intel Narrative and not differentiate between Spectre 1 and two, you would say that...

 

And since we know a bit about this shit, souldn't we mainly talk about Spectre 2?!

[mr moose]

1 minute ago, Stefan Payne said:

Yes, if you want to push the pro-Intel Narrative and not differentiate between Spectre 1 and two, you would say that...

 

And since we know a bit about this shit, souldn't we mainly talk about Spectre 2?!

No.  the discussion is open for everyone to discuss all aspects.  People don't have to ignore specific bits just so you can pretend AMD aren't effected.

 

You have the audacity to accuse people of having a "pro-Intel Narrative" while you are the one lying and exaggerating regular discussion to defend AMD.

 

 

[pas008]

but wasnt this all kinda started to abuse an intel cpu?

 

so how do we know amd isnt affected with alternative way considering ryzen pro cpus? which prolly been patched now

 

but still goes to say theres a will theres a way

 

https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/

[Stefan Payne]

Yes because all that matters right now is Spectre 2, not 1.

But it seems like you want to defend Intel and say that everyone is affected wich is lying by omission.

 

@pas008

Read the Arstechnica Article I posted.

https://arstechnica.com/gadgets/2018/01/heres-how-and-why-the-spectre-and-meltdown-patches-will-hurt-performance/

The "Zen escapes (again)" part. 

There you know that AMD isn't affected by most of it. 

[mr moose]

10 minutes ago, pas008 said:

but wasnt this all kinda started to abuse an intel cpu?

 

so how do we know amd isnt affected with alternative way considering ryzen pro cpus? which prolly been patched now

 

but still goes to say theres a will theres a way

 

https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/

 

It is what it is,  some people just want to pick and choose which facts support their Ideals. I draw the line at accusing others of being pro this or defensive that when they are just discussing the topic at hand.

 

Facts:

 

1. it is a predominantly Intel CPU issue

2. AMD are effected, (ignore at your own peril).

3. software patches have fixed the issue with varying degrees of performance degradation.

 

Outside of that more exploits maybe discovered, no CPU is 100% flawless and reviews/benchmarks will eventually reflect any issues  the patches cause.  So it's not like people will have to take this into consideration when buying new CPU.