More devastating CPU vulnerabilities akin to Spectre found in CPUs - Intel first, others might follow.

[App4that]

3 minutes ago, ravenshrike said:

SPECTRE class bugs are something that everybody running a modern processor is vulnerable to and can only be mitigated against. MELTDOWN class bugs are something else entirely and unlike SPECTRE, are due to completely idiotic initial design decisions.

Yeah, those idiots with PhDs. If everything was designed by people on social media we'd have flying cars by now. 

[ravenshrike]

Just now, App4that said:

Yeah, those idiots with PhDs. If everything was designed by people on social media we'd have flying cars by now. 

Yep, because of course only stupid people can make idiotic decisions. Wait... no. Smart people make completely moronic decisions all the time.

[App4that]

Just now, ravenshrike said:

Yep, because of course only stupid people can make idiotic decisions. Wait... no. Smart people make completely moronic decisions all the time.

In your opinion. I'm sure there are people who think they know your job better than you too. Quite common. 

[ravenshrike]

1 minute ago, App4that said:

In your opinion. I'm sure there are people who think they know your job better than you too. Quite common. 

In what way was allowing the memory access permissions seen in MELTDOWN a smart design decision?

[App4that]

Just now, ravenshrike said:

In what way was allowing the memory access permissions seen in MELTDOWN a smart design decision?

In what way is a AND gate different from a NAND gate? Google and you lose. 

 

How much time you got?

[ravenshrike]

6 minutes ago, App4that said:

In what way is a AND gate different from a NAND gate? Google and you lose. 

 

How much time you got?

Uh huh, I'm sure the explanation is similar to Ford's explanation of the Pinto's fuel system.

[App4that]

Just now, ravenshrike said:

Uh huh, I'm sure the explanation is similar to Ford's explanation of the Pinto's fuel system.

Funny you should use that example as for the time period it wasn't that bad an issue. But no, not bean counters. 

[ravenshrike]

7 minutes ago, App4that said:

Funny you should use that example as for the time period it wasn't that bad an issue. But no, not bean counters. 

Uh huh, not that bad an issue. In reality it was a major issue but it didn't happen often enough to inflate fatality figures that much. But the Ford Pinto and related designs were worst in class for rear end fire fatalities, and Intel is worst in class for CPU hardware permissions escalation fuckups. It was an idiotic design decision. Just because there's no major exploitation of it doesn't change that.

[Ithanul]

...sure did not take long for this thread to go off the rails.

 

Any way a bit more on topic.

4 hours ago, Questargon said:

By the way: The article said, that just because they didn't find these exact flaws in AMD and/or ARM CPU designs, this doesn't mean, that they aren't there.

That is what is concerning to me.  I run both Intel and AMD setups.  Now I got more flaws I have to wait for patches to fix out of my computers.  Ugh.

[AresKrieger]

12 minutes ago, Ithanul said:

That is what is concerning to me.  I run both Intel and AMD setups.  Now I got more flaws I have to wait for patches to fix out of my computers.  Ugh.

TBH these flaws are not optimal for use against consumers so I wouldn't worry, they are really only useful against data centers and other places where a man in the middle style attack would also be applicable. There are far easier methods to screw with regular PCs as the ability to write is far more valuable in those situations, randsomware for example.

 

There is a reason people often call these exploits academic, ultimately they are far less effective than alternatives while also being difficult to setup due to timing being relevant, best target would be a large data volume credit card or bank server, or a data server that handles things like SSNs

[Mira Yurizaki]

1 hour ago, ravenshrike said:

SPECTRE class bugs are something that everybody running a modern processor is vulnerable to and can only be mitigated against. MELTDOWN class bugs are something else entirely and unlike SPECTRE, are due to completely idiotic initial design decisions.

What idiotic design decision was that?

[Kamjam21xx]

I see a lot of AMD and Intel back and forth.

[iamdarkyoshi]

So what you're saying is that after everything's patched, my 6700k will be about as powerful as a pentium 4? 

 

Yeah I'm not patching anything.

[Zodiark1593]

2 minutes ago, iamdarkyoshi said:

So what you're saying is that after everything's patched, my 6700k will be about as powerful as a pentium 4? 

 

Yeah I'm not patching anything.

Well, we could all just be using original Atoms and Cortex A53(5) based CPUs forever, with liquid nitrogen required to achieve 7+ GHz, and still not reaching parity with the 6700K.

 

[mr moose]

13 hours ago, porina said:

How much impact has Spectre and/or Meltdown had to people here so far?

An awful lot of butt hurt and whinging on forums about how evil Intel is and how they should be sent to hell for making mistakes like that.

13 hours ago, Ryujin2003 said:

So, why did these just get found now but never in the past? I guess I'm lost on why these existed for such a long time without being public knowledge much earlier.

Because unlike most bugs, security flaws have no adverse effects on a system that would cause someone to question if something is wrong.  So in essence unless you are lucky or already know exactly what you are looking for, it can take decades to discover exploitable flaws.  Meltdown and spectre had been postulated for quite some time, but even with several people working on it,  without knowing the exact condition required to exploit them it took a long time to uncover.

 

The probability that security flaws exist in every piece of hardware and software  is high.  The probability that someone will stumble upon any one of them without decades of research is very low.

[porina]

30 minutes ago, mr moose said:

An awful lot of butt hurt and whinging on forums about how evil Intel is and how they should be sent to hell for making mistakes like that.

For all the hot air floating around, I was thinking more on the practical side. For example, lost time to implementing bios or Windows Updates? Any other problems stemming from that? Noticeable performance impact? I've updated my main use system fully, and others less vigorously, and don't feel any difference in performance. Not done in depth benchmarking, but this would be indirectly in due course when I have some other need to do it.

[asus killer]

15 hours ago, Questargon said:

All eight are essentially caused by the same design problem – you could say that they are Spectre Next Generation.

well, they failed 7nm development but i guess they are making big progress on the bugs, i didn't expect a next gen so soon. Keep up the good work Intel 

[anotherriddle]

15 hours ago, M.Yurizaki said:

Which is what Meltdown and Spectre are starting to become. Most people aren't appreciably affected by it but people can't be bothered to read past the headline of "HORRIBLE SECURITY BUG CRIPPLES INTEL CPU PERFORMANCE UP TO 40%"

It is all about context. Will the average consumer be affected by these patches -> no

However, most of the money in the computer industry is in the enterprise sector, with "cloud" systems and virtualisation beeing used by essentially every major player. Up to- numbers are always misleading without the context.

[mr moose]

4 hours ago, porina said:

For all the hot air floating around, I was thinking more on the practical side. For example, lost time to implementing bios or Windows Updates? Any other problems stemming from that? Noticeable performance impact? I've updated my main use system fully, and others less vigorously, and don't feel any difference in performance. Not done in depth benchmarking, but this would be indirectly in due course when I have some other need to do it.

For us consumers and home users the effects are largely negligible.  I have no doubt thought that there was a cost to industry in knock on effects from slowed performance and resources being tied up in administering new patches etc.  Pretty hard to quantify all that though.

[Mira Yurizaki]

8 hours ago, mr moose said:

Because unlike most bugs, security flaws have no adverse effects on a system that would cause someone to question if something is wrong.  So in essence unless you are lucky or already know exactly what you are looking for, it can take decades to discover exploitable flaws.  Meltdown and spectre had been postulated for quite some time, but even with several people working on it,  without knowing the exact condition required to exploit them it took a long time to uncover.

 

The probability that security flaws exist in every piece of hardware and software  is high.  The probability that someone will stumble upon any one of them without decades of research is very low.

To add to this, here's another part about Meltdown at least: it was caused by a race condition.

 

Anyone who's ever had the pleasure of debugging software that has one of these buggers will know just how godawful difficult it is to:

1. Prove that it really exists
2. Convince yourself that it exists even though static analysis would say otherwise
3. Try and repeat the problem through normal operation because inserting debug code causes it to upgrade to a heisenbug (... don't get me started on these)
4. Fix it, test it, and not remain paranoid that it still exists.

[App4that]

16 hours ago, ravenshrike said:

Uh huh, not that bad an issue. In reality it was a major issue but it didn't happen often enough to inflate fatality figures that much. But the Ford Pinto and related designs were worst in class for rear end fire fatalities, and Intel is worst in class for CPU hardware permissions escalation fuckups. It was an idiotic design decision. Just because there's no major exploitation of it doesn't change that.

Intel is "worst in class" because Intel is the only one being researched. Why? Mac verses Windows. Remember Apple saying how Macs didn't have viruses? Remember the Mac guy verses PC guy? It wasn't that Mac was safe, but that a majority of the people using personal computers used Windows, so that's what people looking to write viruses wrote for.

 

Once Apple became competitiive, that changed, and the Apple marketing stopped on how Apple was "safer."

 

If AMD had 80% of the market, these labs would be researching AMD, not Intel, and you'd be upset at AMD.