More Intel leaks.. this one is not good though

[2unlimited]

Anders raised this concern 7 months ago. But it wasn't until google put it to actual work that someone waved the flag and said "this is a problem". You're right, I don't understand the mechanics of Cpu, but I understand the human nature and the "if aint broken dont touch it" philosophy. 

[Xirhanna]

2 hours ago, luigi90210 said:

oh trust me, im concerned, i have a home business i run on all intel machines so there is a potential that i can lose thousands of not hundred of thousands if there is a data breach because of this

if it was financially viable for me id switch all my computers to AMD just for the security reason alone

 

this is intel being incompetent, the NSA released an outline on how to secure intel based PCs and literally the first step was to disable IME and these vulnerabilities were discussed at REcon14 and intel basically blew off that whole discussion 

For your sake, I would encourage a switch to AMD now... I think this is important enough to merit it as financially viable.

[mr moose]

8 minutes ago, 2unlimited said:

Anders raised this concern 7 months ago. But it wasn't until google put it to actual work that someone waved the flag and said "this is a problem". You're right, I don't understand the mechanics of Cpu, but I understand the human nature and the "if aint broken dont touch it" philosophy. 

And?  You are making the mistake of assuming time has any meaning in this.  The very nature of security bugs means that they can remain hidden for an indefinite period, regardless of who is looking for them.

[luigi90210]

5 minutes ago, Xirhanna said:

For your sake, I would encourage a switch to AMD now... I think this is important enough to merit it as financially viable.

oh trust me it makes sense financially but its hard when the funds are tied up in other assets at the moment, i have already started doing work on my personal Ryzen rig and got off my i5 2400 dell computer but outside of one other AMD computer(which is an a6 7600k) which i use for testing hardware i have no other AMD machines 

[Hellion]

3 hours ago, Drak3 said:

No, he's not.

He's stating that without evidence, no one can claim that the bug was being hidden by Intel.

No, I'm fully aware of my surroundings. And what Moose is actually saying.

Not "finding" an exploit in 23 years of affected CPU's is one of two things: incompetence or neglegence due to prioritizing performance over security.

 

Use your head.

 

Mr moose is attempting to claim that unless you are an engineer intel hasn't done any wrong...

[Xirhanna]

1 minute ago, luigi90210 said:

oh trust me it makes sense financially but its hard when the funds are tied up in other assets at the moment, i have already started doing work on my personal Ryzen rig and got off my i5 2400 dell computer but outside of one other AMD computer(which is an a6 7600k) which i use for testing hardware i have no other AMD machines 

You could sell your Intel hardware and buy AMD stuff now.  It'll be safer for you in the future I think.  I have no idea how to run a business and I commend you for that.  I'm just spouting off stuff that may or may not be possible for you.  Hehe.  <3

[luigi90210]

Just now, Xirhanna said:

You could sell your Intel hardware and buy AMD stuff now.  It'll be safer for you in the future I think.  I have no idea how to run a business and I commend you for that.  I'm just spouting off stuff that may or may not be possible for you.  Hehe.  <3

its just time really, over the next few weeks im going to be off loading not only myself(since i dont like working on my gaming computer, already wasted an hour gaming today lol) but my other employees from intel to AMD

the issue that is gonna give me the most headache is finding a ryzen based laptop as those are hard to find and expensive since one of my employees needs a laptop and the other desktops that need to be replaced are gonna get a ryzen 3 makeover ill probably end up turning my old work computer into a mobile gaming computer(since its a SFF dell with a standard 75w pcie slot) for lans and such

[Hellion]

3 hours ago, mr moose said:

Please for the love of god read my posts. I am not saying you cant criticize Intel or any company for what has happened, I am saying you can't level an accusation of intention without proof, in this case you'd need to have the same knowledge of processor design as Intel to have that proof.

23 years of making the same mistake is enough proof for me and those with logic/lack of a clear bias.

[luigi90210]

2 minutes ago, Hellion said:

23 years of making the same mistake is enough proof for me and those with logic/lack of a clear bias.

are you gonna say the same thing about the hardware bug that was found in the 802.11 standard aka the krack attack

these things are usually caught off guard with day zero exploits years sometimes decades after release you cant blame intel for not finding this initially, what you can blame intel for is ignoring the REcon14 conference where the IME was discussed in detail and how its a bad thing

[Xirhanna]

10 minutes ago, luigi90210 said:

its just time really, over the next few weeks im going to be off loading not only myself(since i dont like working on my gaming computer, already wasted an hour gaming today lol) but my other employees from intel to AMD

the issue that is gonna give me the most headache is finding a ryzen based laptop as those are hard to find and expensive since one of my employees needs a laptop and the other desktops that need to be replaced are gonna get a ryzen 3 makeover ill probably end up turning my old work computer into a mobile gaming computer(since its a SFF dell with a standard 75w pcie slot) for lans and such

Ah, yeah, Ryzen laptops aren't that common yet.  I hope you are able to make your way out of this Intel fiasco however with minimal losses.

[Drak3]

6 minutes ago, Hellion said:

Not "finding" an exploit in 23 years of affected CPU's is one of two things: incompetence or neglegence due to prioritizing performance over security.

 

Use your head.

 

Mr moose is attempting to claim that unless you are an engineer intel hasn't done any wrong...

It doesn't have to be either of those things.

 

An exploit or bug can go decades without notice simply because testing methods miss some minute detail that have microscopic chance of happening at the time. An oversight of an apparent small detail is neither incompetence nor negligent. It's human nature.

 

Unless you're calling all of the developers behind every Linux and Unix that use BASH incompetent or negligent for Shellshock/ the BASH Bug, which existed 25 years without being noticed or patched. There's alot more eyes looking through that than there could be looking through Intel's design schematics, and more combiinations to test for bugs, exploits, and incompatibilities.

[Hellion]

6 minutes ago, luigi90210 said:

are you gonna say the same thing about the hardware bug that was found in the 802.11 standard aka the krack attack

these things are usually caught off guard with day zero exploits years sometimes decades after release you cant blame intel for not finding this initially, what you can blame intel for is ignoring the REcon14 conference where the IME was discussed in detail and how its a bad thing

Responsible corporations do regular internal audits.

 

This should have been caught a long time ago.

[mr moose]

23 minutes ago, Hellion said:

Not "finding" an exploit in 23 years of affected CPU's is one of two things: incompetence or neglegence due to prioritizing performance over security.

 

Use your head.

 

Mr moose is attempting to claim that unless you are an engineer intel hasn't done any wrong...

 

Clearly you don't understand the nature of security bugs either.   You  are completely ignoring the nature of security flaws. 

 

It is one thing "if" Intel knew about it for that long and ignored it, but completely another to assume they did or to assume it only occurred out of incompetence. 

 

It is not uncommon or unusual for security flaws to remain unnoticed regardless who is looking for them, that is the nature of their existence.

 

 

[leadeater]

22 minutes ago, Hellion said:

23 years of making the same mistake is enough proof for me and those with logic/lack of a clear bias.

So what about IBM, ARM and AMD then? I mean it's not like only Intel got it wrong and yet if it was so obvious why could thousands of CPU designers, engineers and operating system developers not figure it out.

 

CPU designers look for ways to improve CPU performance and push that technology forward

Security experts look for weaknesses and bugs in software and hardware

 

Two different goals and fields of expertise, not mutually exclusive but not the same thing either.

 

FYI operating system/kernel developers are just as much to blame because that is a shared issue between them and CPUs as far as Spectre goes. 

 

And it's not a mistake it's a design flaw. You can have a flaw with something that was successful at the purpose it was designed for, success in one mans eyes but a failure in another, who is right? The person who achieved what they wanted or the person who found an unrelated flaw to the original goal?

[leadeater]

11 minutes ago, Hellion said:

Responsible corporations do regular internal audits.

 

This should have been caught a long time ago.

Why should they have found it a long time ago? Are you assuming it was easy to find? Are you also assuming that it was a glaring and obvious design flaw?

 

A flaw that has a significant impact that is extremely critical does not imply that it was easy to find.

[mr moose]

3 minutes ago, leadeater said:

So what about IBM, ARM and AMD then? I mean it's not like only Intel got it wrong and yet if it was so obvious why could thousands of CPU designers, engineers and operating system developers not figure it out.

 

CPU designers look for ways to improve CPU performance and push that technology forward

Security experts look for weaknesses and bugs in software and hardware

 

Two different goals and fields of expertise, not mutually exclusive but not the same thing either.

 

FYI operating system/kernel developers are just as much to blame because that is a shared issue between them and CPUs as far as Spectre goes. 

 

And it's not a mistake it's a design flaw. You can have a flaw with something that was successful at the purpose it was designed for, success in one mans eyes but a failure in another, who is right? The person who achieved what they wanted or the person who found an unrelated flaw to the original goal?

So much better with words than me.  Mind you I am really tires right now and dealing with a major autistic breakdown in the house.

[Drak3]

1 minute ago, leadeater said:

And it's not a mistake it's a design flaw. You can have a flaw with something that was successful at the purpose it was designed for, success in one mans eye but a failure in another, who is right?

It's kind of like the BAR.

 

1 minute ago, mr moose said:

I am really tires right now

Are you a summer 4 pack of light truck tires? I'll need some in a few months.

[LAwLz]

18 minutes ago, 2unlimited said:

Anders raised this concern 7 months ago. But it wasn't until google put it to actual work that someone waved the flag and said "this is a problem". You're right, I don't understand the mechanics of Cpu, but I understand the human nature and the "if aint broken dont touch it" philosophy. 

Ehm... Google contacted Intel, AMD and ARM, among others, several months ago too. In fact, Google's project Zero found it in June last year.

This type of attack has actually been theorized for quite a long time. It's just that no known way of exploiting it had been found and it was theorized to be extremely hard to do.

And no, I would not consider that reckless. It happens all the time in both hardware and software design (and most certainly is not limited to Intel).

Someone could guess a random number, and if they guessed right they could compromise Microsoft's root certificate, allowing them to do things like push out malicious updates, MITM and a bunch of things to steal credit card data and so on. The risk of them guessing correctly is so small though, that it is not worth worry about.

However, if someone were to post evidence that it is trivial to obtain Microsoft's private key then things would be taken seriously very quickly.

It's the same thing here.

 

 

26 minutes ago, Xirhanna said:

For your sake, I would encourage a switch to AMD now... I think this is important enough to merit it as financially viable.

14 minutes ago, Xirhanna said:

You could sell your Intel hardware and buy AMD stuff now.  It'll be safer for you in the future I think.  I have no idea how to run a business and I commend you for that.  I'm just spouting off stuff that may or may not be possible for you.  Hehe.  <3

AMD is also vulnerable to Spectre. I think it's reckless of you to give advice when you clearly know very little about the situation.

[Xirhanna]

Just now, LAwLz said:

AMD is also vulnerable to Spectre. I think it's reckless of you to give advice when you clearly know very little about the situation.

Enlighten me then instead of being rude about it.  I was just stating things based on what I know or assumed.  I wasn't telling him what to do, I was simply suggesting it.

[pas008]

@Hellion

good good let the hate flow through you

 

if there is a will there is a way

 

people/hacker/security/etc will also find exploits, figuring them is their job

many yes many go unsaid because was caught internally

you cant find them all sometimes it takes outside minds to do it

[pas008]

2 minutes ago, LAwLz said:

Ehm... Google contacted Intel, AMD and ARM, among others, several months ago too. In fact, Google's project Zero found it in June last year.

This type of attack has actually been theorized for quite a long time. It's just that no known way of exploiting it had been found and it was theorized to be extremely hard to do.

And no, I would not consider that reckless. It happens all the time in both hardware and software design (and most certainly is not limited to Intel).

Someone could guess a random number, and if they guessed right they could compromise Microsoft's root certificate, allowing them to do things like push out malicious updates, MITM and a bunch of things to steal credit card data and so on. The risk of them guessing correctly is so small though, that it is not worth worry about.

However, if someone were to post evidence that it is trivial to obtain Microsoft's private key then things would be taken seriously very quickly.

It's the same thing here.

 

 

AMD is also vulnerable to Spectre. I think it's reckless of you to give advice when you clearly know very little about the situation.

link to the bolded?

[LAwLz]

19 minutes ago, Hellion said:

Responsible corporations do regular internal audits.

 

This should have been caught a long time ago.

I don't think you know how security audits work...

It's not like they look through code and then find all the issues. It's not like in a video game where you will get a progress bar, and once it reaches 100% you're done and your code is 100% secure.

 

This was an issue that was overlooked by:

• Microsoft
• GNU/Linux
• VMWare
• Intel
• AMD
• Nvidia
• ARM
• Apple
• MIPS

and possibly a long list of other development teams too.

Why? Because it requires a lot of "out of the box" thinking. Someone made a pretty good analogy before. We discovered two new elements in 2010. Moscovium and Tennessine. Are you really going to say the entire world of scientists were stupid because they hadn't discovered these two elements until 2010?

Finding security holes is not a job where you just look through code and then you might discover something. It involves A LOT of trial and errors. Remember shellshock? That was a bug in bash discovered in 2014. Bash is open source and has been audited countless number of times, and yet the issues went unnoticed for almost 20 years. Are you saying that all the developers involved and auditing bash had noticed the bug (which was quite easily fixed) but just chose to ignore it? Again, that's not how security audits work.

[ItsMitch]

"We fixed the bugs guys!!!!" - Intel

orlly

https://gist.github.com/woachk/2f86755260f2fee1baf71c90cd6533e9

 

[Jito463]

1 hour ago, mr moose said:

And?  You are making the mistake of assuming time has any meaning in this.  The very nature of security bugs means that they can remain hidden for an indefinite period, regardless of who is looking for them.

58 minutes ago, Hellion said:

23 years of making the same mistake is enough proof for me and those with logic/lack of a clear bias.

I've butted heads in another thread with Moose and accused him of being an Intel apologist, but I have to agree with him here.  Just because a bug isn't discovered for a long time, doesn't mean anyone knew about it.  There's no reason to believe anyone knew and just swept it under the rug; not without some incriminating evidence, anyway.

[leadeater]

20 minutes ago, LAwLz said:

This was an issue that was overlooked by:

• Microsoft
• GNU/Linux
• VMWare
• Intel
• AMD
• Nvidia
• ARM
• Apple
• MIPS

And IBM, probably a very significant one to add to the list considering they run most of the banks and telecommunications around the world.