Every modern processor has unfixable security flaws
- Thread starter Newtun
- Start date
Intelpocalypse should be interesting to see how this flushes out in 2018. I'm glad I waited on building my next system and hope they can address this in future hardware to not get hit with the performance penalty in the upcoming software patches.
Stereodude
Not really a
Happy, happy, joy, joy... :cursin:
timwhit
Hairy Aussie
Doesn't seem like the AMD flaw is nearly as bad. Is there even an real exploit in the wild for AMD yet?
Chewy509
Wotty wot wot.
IIRC, exploits for AMD
Note: There are actually two items going on, one is a deep flaw in the OOE (out-of-order execution) engine of the the Intel CPU core (called Meltdown), and another of how page tables and OS's use them and will affect all CPUs (irrespective of make/model) that use this style of virtual memory. (called Spectre)
Both Anandtech and Arstechnica have decent layman terms writeups.
https://www.anandtech.com/show/12214/understanding-meltdown-and-spectre
https://arstechnica.com/gadgets/201...odern-processor-has-unfixable-security-flaws/
As for me, the old moto 68K or early PowerPC are looking mighty fine at this point.
Chewy509
Wotty wot wot.
Intel list for Meltdown:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Looks like my ancient Atom N570 powered netbook is safe from Meltdown at least...
What's interesting is, the above list shows no Pentium4, Core or Core2 based CPUs (these lack the IMC (Integrated Memory Controller) that the ix-Core series brings), so is Meltdown a result of a design decision in how the IMC was integrated with the CPU?
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Looks like my ancient Atom N570 powered netbook is safe from Meltdown at least...
What's interesting is, the above list shows no Pentium4, Core or Core2 based CPUs (these lack the IMC (Integrated Memory Controller) that the ix-Core series brings), so is Meltdown a result of a design decision in how the IMC was integrated with the CPU?
Stereodude
Not really a
But is it really a concern to home users? They'd need physical access to the machine to run such an exploit in which case you've already got a bigger problem.
Chewy509
Wotty wot wot.
There (reportedly) is a POC for Spectre that runs via javascript on Chrome that extracts details from other running processes on the system and displays them in the browser... Could mean possible leaks of username/passwords for online sites (banking, social media, etc). Could mean attacks looking for kerberos ticket information to get access to other machines on the network, etc.
Very low probability of success, but is still an issue. I've read some people claiming both are largely a non-issue for desktop users, as exploit code needs to be run on the host system... but when the exploit code can be javascript from some random site... that's a different ball-game.
I don't see the issue of Meltdown or Spectre used in isolation, but rather as a small part of a larger exploit/attack setup. eg, as a stepping stone to getting deeper into the system.
Chewy509
Wotty wot wot.
FYI, Meltdown patches for Win10 being released today, patches for Win7/8.x released as well, but expected to be widely deployed next Tuesday.
Patches for some GNU/Linux distros are already out (all my Arch Linux boxes are patched). (kernel 4.14.11 includes initial patches for Meltdown, distro vendors to backport as appropriate).
And there are rumors that the last patchset macOS High Sierra included some initial patches for Meltdown as well.
Patches for some GNU/Linux distros are already out (all my Arch Linux boxes are patched). (kernel 4.14.11 includes initial patches for Meltdown, distro vendors to backport as appropriate).
And there are rumors that the last patchset macOS High Sierra included some initial patches for Meltdown as well.
Chewy509
Wotty wot wot.
I guess you won't be buying a new system for a while. From what I've read, the full impact of Spectre isn't known yet, so mitigations will take time.
Newtun
Storage is nice, especially if it doesn't rotate
It may be a concern for home users that, for instance, log on to their bank's web pages that may have been compromised by these issues. And IIRC, these exploits can effect VMs, so that, for example, a "rogue" VM server on The Cloud might be able to access another company's VM server.
There is a somewhat popular impression that exploiting these kinds of issues is unlikely, because the perpetrators are isolated miscreants. However, recent events seem to give some indication that various government entities have devoted significant resources to pursuing malware intrusions of computer systems for their own nefarious purposes.
I hope the old 5930K system holds up for a while. I'm not spending $3K+ for mainboard/CPU/RAM and having a slower computer than the old one if the fixes kill performance.
Intel has released new microcode:
https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File
https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File
Stereodude
Not really a
They weren't pimping security in their CES booth. I can't imagine why...
5G was a really big topic though.
5G was a really big topic though.
No, I never find any. There are all sorts of technical discussions about the Meltdown and Spectre (malware), but what is the actual impact to the user's infected computer and data?
Are people losing data, being extorted, dying in hospital, etc.?
Meltdown and Spectre are not malware. Malware can be written to exploit the technical deficiencies in security that Meltdown and Specter have within the CPU.
The full extent of the impact has yet to be determined but the possibility of some user space code having access to other user space data means your sensitive information could be at risk. I don't believe it is as much at risk on your own machine as it would be on a public cloud system but I'm sure that can be argued.
The full extent of the impact has yet to be determined but the possibility of some user space code having access to other user space data means your sensitive information could be at risk. I don't believe it is as much at risk on your own machine as it would be on a public cloud system but I'm sure that can be argued.
timwhit
Hairy Aussie
Eventually, someone will write a JavaScript version of the exploit and anything you do online will be at risk. No one is going to announce this exploit. You should patch your system now.
Yikes! The internet is becoming more of a pain than it is worth. 
Perhaps I should take the main computer offline after the outbursts as I was planning to do last year. Then I could update Windows on the NUC and only connect with that device. At least I don't do anything on my home computers that would have a financial impact.
The work laptops are so slow with all the extra security lately that it is ridiculous. All the incoming or outgoing e-mails take up to several minutes with the scanning.
Perhaps I should take the main computer offline after the outbursts as I was planning to do last year. Then I could update Windows on the NUC and only connect with that device. At least I don't do anything on my home computers that would have a financial impact.
The work laptops are so slow with all the extra security lately that it is ridiculous. All the incoming or outgoing e-mails take up to several minutes with the scanning.