A little of both. Side channel attacks as a concept are not new, but the ability to reliably weaponize them in this fashion is. This is stuff that previously was not thought possible. (And yet despite this, you likely don't want a CPU that can't do speculative execution)
Meltdown is a real issue. The seriousness of Spectre, on the other hand, is completely overblown. All you can do with Spectre is slowly, really slowly, read memory from other non-kernel processes, *if* you are able to run some very high CPU usage code for a long time without the owner/user of the computer being attacked realizes it. The value of such an attack is so low as to make it basically irrelevant -- who is going to bother burning CPU cycles to run a Spectre attack when they could use those CPU cycles to attempt numerous other much more significant and valuable attacks?
I should clarify: Spectre *is* an important issue for users who run programs that store highly valuable information in memory. But the vast majority of users do not, and the cost of running a Spectra attack and also the extremely low chance of it acquiring anything of useful value, means that for end-users who don't run banks on their computers, it's a non-issue.
It's kind of like saying that for the average person, snake poison is not a danger, so we don't all keep vials of snake bite antidote with us at all times. But that doesn't mean that snake bites are not dangerous, and there are definitely people who *should* keep antivenom with them at all times -- like people who regularly travel through jungles known to be populated by venomous snakes. But would you believe someone who told you that you should keep antivenom with you at all times because a criminal may decide to attack you with a snake? Of course you wouldn't. That would be silly, because even though snakes are dangerous and theoretically a criminal could use them to attack you, why would they bother, when guns/knives/etc are so much easier to come by and use?
"That would be silly, because even though snakes are dangerous and theoretically a criminal could use them to attack you, why would they bother, when guns/knives/etc are so much easier to come by and use?"
I'm sure that there are people out there that think attacking someone with a danger noodle is a lot cooler than the aforementioned gun or knife even if it is more troublesome. Haven't you seen Indiana Jones or James Bond movies? The bad guy always dangles the hero over a danger noodle pit.
I too have many deep and important questions, abstract enough to conceal my surface-level understanding of modern CPU architecture. Frankly, I'm only here for the danger noodle.
One thing that I am frustrated with this Meltdown/spectre stuff - in my past knowledge of OS development - if non ring 0 stuff attempts to access ring 0 data - it should cause an exception by the processor. If it is from ring 0, then this should be device driver on OS and should not be certified for deployment.
Are we talking about realistic issue here? or actual OS issue?
Accessing memory you don't have access to, DOES cause an exception, but in Intel CPU's it only does this in the retiring phase. Speculative execution that turns out to not be required doesn't get retired, so no exception is thrown.
AMD's architecture is different, whereby the privilege check is also done at the start of the memory request even when performed speculatively.
You can't access this memory directly, even though it's been brought into the cache. But you can speculatively use it to cause a performance side effect in memory you can later access and by timing this access, work out what the original value brought into the cache was.
1) Meltdown is a solved problem. It is not a 'class' of attacks where you'll see a new exploit every few months. It was found, functionality that enabled it was disabled/bypassed, and it is now gone as an issue aside from the hit on performance in certain scenarios. Continuing to bring it up outside of the contexts where it hurts performance (databases, virtual machines, etc) is a meaningless distraction.
2) The idea that because Spectre is 'slow' it is not a major threat is silly. Of course if an easier exploit exists an attacker will utilize it. But that is a non sequitur, you could say that about literally any exploit. The point is that there will be times when Spectre class vulnerabilities ARE the easiest path to stealing data, especially in virtualized server environments. And the idea that its 'slow' is a relative statement, these CPU's are handling millions of operations per second, 'slow' can still mean it gets everything it needs in a few seconds. Furthermore, since Spectre is a class of issues rather than a specific exploit, it is rich for zero days and unknown exploits from well funded state and criminal actors, where you could see exploits outed years after they were exploited with no one the wiser.
Spectre is a huge problem and its scope is as yet not well understood.
Unless you know who you are attacking and why, spectre is useless. It's not the kind of attack that can be exploited to quickly and easily get some kind of administrative/root access on a machine, so you can't do anything useful with it except extract data. Yes, if you attack someone with known valuable data, then spectre is worthwhile.
Another real world analogy for you: spectre is like being able to look at the top left corner of a person's coffee table. You have no idea what you're going to find there or if it's even useful. How many attackers are going to spend time randomly looking at the top left corner of people's coffee table hoping to find information that they can use to their benefit? Sure if the target is rich and you know they tend to leave their bank account details lying around, then it's worth doing. But this implies that you know something about your target. In the vast, vast majority of security exploits out in the wild, the attacker knows nothing about the attacked. They just attack known insecure services hoping to get something of known value -- the ability to use CPU/network cycles on the target machine, and possibly a way to take control of the machine entirely. The attack is an automated process that tries to deliver one or both of those things. A random spectre attack will net the attacker what? Some random memory from a user level process. What is the chance that they will be able to use that in any way? How much CPU power would it take to even analyze the data to sift through it to find useful things? Who would bother?
I would personally patch Meltdown because that's a much more significant attack that can reveal kernel level secrets that could very easily lead to a more substantial attack vector on the machine. Spectre on the other hand, I personally wouldn't even bother for my home systems. Just like I wouldn't bother carrying antivenom around, or ensuring that nothing is in the top left corner of my coffee table just in case someone peeks in the window.
Meltdown is already patched. Nothing more to discuss about that one. Spectre's main threat isn't home systems, its cloud based and targeted attacks (for now). You hit someone's infrastructure. Data exfiltration *is* the primary value in attacking corporate networks. And quite frankly that does impact home users when its their data being stored and then leaked.
I don't expect Spectre to have much of an impact on home users, although that could change since its only started to be explored. I do expect it to have a large impact on the cloud however as it threatens the security of virtualized hosts substantially.
Just FYI, there is something called PCI 3.0 compliance - in this situation for example with restaurants - the account cards are not allow to be stored on system at all - so even if they break in the account is not found. In additional for example with VeriFone systems that have implemented full PCI 3.0 compliance - the accounts are driven by tokens ( and in some cases token less ) to if card number is retrieved - it just a token - a pseudo random on for account. Even the developers at VeriFone do not access to original account.
Of course there older systems that are not compliant. some for those systems, if you could some how intercept the cache. then you can hack it.
Spectre is a huge issue for cloud providers. And if i rent a ec2 instance on amazon you bet I will be running it near 100% fpr most f the time I rent it. That is the point of it. Spectre is a virtualization issue.
On the other hand you are right. for consumers spectre is a non-issue mostly. If hacker can run spectre, then he could run much more dangerous and easier tools as well. you lost the battle already.
Perhaps it's time to tone down our reliance on cloud-based services?
Things worked fine in the past without the cloud, so I fail to see why we can't step back. Not to mention that many of these cloud-based systems are nothing more than vendor-lock-in schemes to make easy money.
@bji thanks for the snake analogy. That was a clear and spot on explanation.
You obviously go to the hospital. They (should) have the necessary anti-venom. Why do you wan't to police yourself if you already pay for a policing institute that should catch these criminals in the first place?
Anyway, have there been real reports of Spectre-compromised systems (yet)?
Spectre does not "compromise" systems, it allows the attacker to extract data and *leaves no trace*. This is the danger of it. It is a significant risk for *SHARED* computing, like cloud hosts.
That's one of the logical fallacies that the NRA hides behind. It's patently ridiculous. You can just as easily say.
"That's the problem with rocket launcher laws though. Only the criminals have rocket launchers then and what are you going to do when attacked with one?"
Or nuclear weapons, napalm, etc. The argument doesn't hold any water unless you want to argue that literally everything should be legal, regardless of how potentially dangerous it is, and then I doubt many people would agree with you.
Right now it can be used to infer the contents of other programs, including those running at other privilege levels. It's a serious issue with no obvious hardware solution. Developers can write software to essentially fence off things that are at risk, but requiring software developers to protect against hardware flaws is not a good long-term solution.
I agree. I'm specifically curious about a proof that shows that future speculative execution designs could not be made more secure. Intuitively I feel that speculative execution could be patched up but I have not put a lot of thought into it.
You can't prove a negative. There is no way to 'prove' that future designs can't be exploited. While its possible that you could secure speculative execution in such a way that it could not be exploited the ways we know of currently, we can't really guard against a future we don't know and there is always the question of whether or not the performance tradeoffs of such security won't themselves cost more in perf than the feature gains.
I think you're underestimating what is possible with a formal analysis of CPU architecture. This kind of property can be proven in the mathematical sense, but full formal analysis of systems with this much complexity is almost always regarded as cost-prohibitive. And it would be an even bigger task to make backwards-compatible modifications to a current architecture to produce one that is completely immune to speculation-related information leaks but still has similar performance to current speculative architectures. It's probably easier to build a new architecture from scratch, even including the costs of breaking compatibility with all existing software.
"This kind of property can be proven in the mathematical sense, but full formal analysis of systems with this much complexity is almost always regarded as cost-prohibitive."
you sort of can. it's called a maths proof. cpu is a manifestation of symbolic logic problem. that's how von Neumann devised the computer in the first place. somewhere along the line, the maths failed. fixing hardware problems (design, not manufacturing) is a white board problem. it's in the maths.
"And yet despite this, you likely don't want a CPU that can't do speculative execution"
I do, if done properly. Speculative execution (beyond conditional branches) is a kludge for outdated processor architectures which place memory too far from cores, and very obvious power waste. Given that even now performance is TDP-limited, days of speculative execution need to come to their end.
Not at all. There is no know alternative, within the current paradigm, to exploit the instruction level parallelism that speculative execution does. For there to not be a benefit you’d have to abandon the very idea of pipelined architectures.
I think we should ask the big question, are these researchers helping or hurting the industry?
Especially giving rewards to people who find such issues?
What should be look at root of why people create such problems to attack in first place and create stupid Virus and malware in the first place. It has to be download from internet some where - awards should be given to prevent such activity. Not on optimizations of processer to improved performance.
Site is a little bias - it mention Intel in big print at top - but in smaller print mentions that ARM and AMD could also be effected.
Also there is nothing that provide legitimate description of what these issues are. Unless this is provided - how can we trust it.
There is no bias here - just opinion - that I think that this stuff is so over blown - and that anybody who does not think the real problem is with people who make virus and malware then they are probably in with the same people.
I just concern the site ( not Amandtech but the German one ) did not provide any thing to back up there claims - just that they got 8 new issues. How reliable is that! They are the one that show bias.
And as quickly as it is researched publicly it is researched even faster by governments and people that have a financial or defense interest in exploiting vulnerabilities. What are you trying to argue against? The very use of computers?
"What are you trying to argue against? The very use of computers?"
So creating Virus or Malware is the very use of computers? as a developer, I would say no - it trying to inject bad code on to customer system to create harm to customer.
All I am saying that is real threat here. So I believe this should be handle by OS.
Jesus man, how little sense can you make, and how close minded can you be? It's like saying that if governments stopped running domestic intelligence agencies to deter foreign governments from spying by figuring out how they get info and stopping it, then magically the foreign governments will just stop spying.
I do dev in the finance industry - if there was a class of attack that went unknown for even a few months because bad actors got there first then we could be open to millions in losses, even bankruptcy - the internet as a marketplace would die instantly as nobody could trust it.
These people pay researchers via bounties, because exploits that remain unknown cost *FAR* more in the long run, and could kill the company entirely, either directly by allowing a competitor to supplant them - or by killing their industry entirely.
"These people pay researchers via bounties, because exploits that remain unknown cost *FAR* more in the long run, and could kill the company entirely, either directly by allowing a competitor to supplant them - or by killing their industry entirely."
experience, to date, is that FIRE industry has gotten off with little more than slaps on the wrist for their mal/non feasance. the current administration isn't going to hold their feet any closer to the fire (pun intended).
We don't live in a world without viruses and malware, and governments are major perpetrators of them. It isn't going away. So back in the real world, yes it is helpful to find and disclose vulnerabilities and potential vulnerabilities. Nothing else to really discuss there.
If you have evidence of intentional malware, backdoors, extortionware and other vulnerabilities in Windows 10, of course you should discuss them. If they are unintentional, I would suggest following the industry standard disclosure timelines (you may even get a bounty).
I would agree I am being attack here - just because I have a difference of opinion. But that does not give anybody a right to attack me. Let just agree to disagree on this subject.
Your comment is nonsensical. The article reports what is *known*. They acknowledge that it may also affect others, but they do not have hard evidence of that yet. My guess is that it will, but in reporting you can't state that definitively.
Also, why would you not give rewards to those who find issues? I spent a lot of time as a software QA, the entire job is getting paid to find (and avoid) coding defects. No developer intentionally makes mistakes, but mistakes are made every day because code is complex (as are physical architectures). Creating bounty programs is the responsible thing to do for any company releasing complex products where it is virtually impossible to ever 100% certify everything works as intended.
The mention article was in German, but it had no technical merits to back up its claim. If the reports are existing Spectre issues than why repeat the information and just state patching the OS with updates is not the fix.
In my opinion, this is deliberate attempt to bring up an issue to bring attention to themselves. Maybe this German site - wants to bring attention to find a way to get the $250,000 from Microsoft. But are they doing more harm than value?
I'm not certain what your issue is here. This is a news organization, they are reporting the news. They do not need to wait for confirmation so long as they are clear not to claim the news they are reporting is confirmed.
this is nonsense and out of reference to subject - I am not talking about normal development code - this would not be an security issue - but instead we are talking about virus and malware that attempts to inject themselves into OS flaws - my opinion the OS should not allow this to happen - unless there is a flaw that prevents the OS from getting exception from a non-Ring 0 code accessing Ring 0 data.
Not sure if you're just intentionally being obtuse or what, but it's Heise that is reporting this, not some random web site desperate for publicity.
Also, the whole point of these flaws is that the OS can't prevent them. They are hardware problems that allow non-ring 0 to access ring 0. Saying that the OS should fix these hardware flaws displays a complete lack of comprehension of what's being discussed. You should probably go back and read some of the papers on Spectre rather than posting in these comments.
This right here. It's really clear that HStewart does not understand Spectre or the types of vulnerabilities it enables. Or basic computer security. Or the reasons why bug bounty programs exist. Or the fact that code is code and 'normal development code' has no actual meaning...
keep in mind I did my OS development about 16 years ago - I do remember finding erratum in an IBM 486SLC which had hardware bug where the cache was inverted. But if there is reliable case that it processor allows access to ring 0 data from non-ring 0 this should be corrected - but if something that OS leaves open - then the OS should be correct.
But it is interesting that Spectre is only in cloud servers - which sounds like OS issue - I believe if I remember right Linux servers first heard about this.
Spectre is an issue in all systems. It is not only in cloud servers. Cloud servers merely have more avenues where exploitation of Spectre would be advantageous for attackers.
Spectre is also not OS specific, it impacts all major OS's ranging from Windows to Linux and OS X and their derivatives.
Please understand I mean nothing personal when I say that this comment is completely without merit. Bad actors already have incentives to find vulnerabilities (the pay-off of whatever it is they want to do, e.g. steal financial information, sabotage another government's infrastructure, etc.) so, yes, it is of unquestionable value that we provide incentives to white-hats to find the same kind of flaws first and successfully document and patch them.
The article mentions Intel in the context of an Intel announcement. Would you like them to make up announcements from AMD and ARM to go with it?
The article explains why there is no "legitimate description" - it's not yet fully investigated.
Yeah, great. The first time in 8 years I've managed to get a motherboard that doesn't have any problems aside from too few USB ports, and now I find out the processor is going to be dragged down in performance even more than before.
Yep when they outed these exploits I said they just opened up a can of worms. I stated that if these exploits had been on systems for all of these years and no one had ever found them before all of this took place chances are very high no one would have ever found them. I had someone tell me well maybe the reason we have had all of these attacks in the past was from these exploits in the CPU's. My reply was well hackers like to think they are 1337 and would have tried to take credit and promoted that they had just hacked crap of all cpu's ever made. Since we have never heard of any of them taking credit for that it stands to reason that they never found these exploits and would have never found them.
Now that it is all out in the open we have had a huge mess to deal with and of coarse every hacker in the world is now clued in and are working like busy little beavers trying to by pass all of the patches and micro code updates.
> chances are very high no one would have ever found them
In your ideal world, yes. But in this world, there's high probability that well-funded researchers of intelligence agencies and state-sponsored hacker groups have already found them.
> would have tried to take credit and promoted that they had just hacked crap of all cpu's ever made
Only for amateur hackers. Professional hackers know how to keep a secret.
> by pass all of the patches and micro code updates
Not something easy to do if done properly. Just look at all those Critical CVEs that have been fixed. Once they are fixed, nearly all of them cannot be sidestepped.
All in all, RESPONSIBLE disclosure is needed so the good guys can erect additional barriers against the bad guys.
Yeah... pretty sure that HStewart and the Thai(?)-sounding names are Russian trolls. Casting doubt on the existence of nation-state level exploits, typical problems writing in English, overly focused on attributing corrupt motives to others. I'd say if Putin wants to waste rubles hiring these idiots to push such stupid arguments, it's better than having them doing straight political disinformation, but I also don't want the relatively high quality comment threads on AT to turn into a toxic swamp that discourages real people from participating.
Genuinely not sure if HStewart is a troll - I have encountered more than a few people whose comprehension is so strained that they find simple concepts troublesome and tend to assume that everyone around them is either hostile or trying to somehow fool them.
Please stop speaking misinformation about me - I just have 30 years of experience in development include almost 7 years of experience in x86 assembly in the USA. I might be in my 50's and a geek with my English less than part - but surely not a Russian troll.
I used to build gaming machines but I have grown up since that. I do like Intel because if you look back they are original producer of the x86 processor - AMD was a clone manufacture because of requirements by IBM on original IBM PC - which is I have one store away in closet.
I would say I am not an AMD Fan boy because they attack people except if they are pro AMD. I don't really care if AMD fanboy's support they AMD but telling others that they should support Intel is not professional .
Lets be mature here and just agree to disagree. I have a different opinion on this stuff
Please stop with the personal attack - be professional and only discuss the topic not against the readers - unless you want this forum to come like WCCFTech.
Is the heat getting too much for you? I think it's just that people are starting to see through your antics, and that you are a hard-core Intel fanboi, whether you will admit it or not.
*Every* article that is pro-Intel, you are there in the first few threads. And if an article is anti-Intel (at least by your standards), you're there inserting stuff about AMD, even when the article doesn't mention anything about AMD. It's almost as if you have an inferiority complex and have to constantly defend Intel and your insecurities about it.
You've said in other posts that you're glad that this Meltdown/Spectre thing is finally past, so we can stop talking about it. What you really mean is that you want it to be over, so (poor) Intel can stop being blasted about Meltdown, which doesn't affect AMD (that must be KILLING YOU to admit that).
In another post, you say that you wouldn't buy AMD CPUs because of how users attack people. Seriously, who in their right mind bases purchasing decisions on how a certain part of the userbase acts? This is the height of foolishness.
In other posts, you are constantly defending that Intel is late with 10nm, while downplaying 7nm from other manufacturers. And you actually believe what you're saying.
Look, you are by far the biggest pro-Intel fanboi I have ever encountered. It's getting to the point that you don't even have to open your mouth or post a message. We can just look at the title of an article and know that (a) you will be there, and (b) you will be rigourously supporting Intel and bashing everything else. And TBH it's getting tiring.
I suppose I will now be labelled as an AMD supporter and 'attacking' you. Never mind the fact that I have both an AMD 1800x *and* Intel 8700K systems. But I'm starting to regret the latter purchase because of Meltdown slowdowns (which are real, whether you admit it or not). But any regret I have for buying Intel is not because of how an Intel fanboi is treating me; it's because of the faulty hardware.
The problem is that most people in these computer forums assume that Meltdown / Spectre is Intel only - at least AnandTech - does not list it as Intel CPU - but just CPU. Spectre NG is document to effect Intel, AMD and ARM.
To be honest this Meltdown/Spectre stuff has not even been notice by me.
On the 10nm vs 7nm - 10nm is not release and I believe that Intel is not going to release it until it absolutely ready - I am just taking there word. Do you really believe that just because 7nm is smaller then 10nm - it means it is more dense - we need to honestly wait until Intel release 10nm. I just remember the frequency wars and just because higher number does not mean higher performance. In Pentium 4 days AMD actual beat Intel.
I am not Anti-AMD, I am Anti-Anti-Intel
Basically lets just agree to disagree - buy the way I not 100% anti-AMD., I was extremely impressed with Dell XPS 15 2in1 especially with that in such a small size it can also have a discrete - I was not sure that I could trust AMD GPU - but I give it a try - only thing I notice specifically about it - is that Steam VR test did not detect it - also I notice older games like SIM 3 crash but SIMS 4 works. I also notice that I had to tweak Photoshop CS 5 because of resolution - but that is not related to Vega GPU - but because of 4k screen.
Of course I own Intel and support Intel - simply because they originally created the CPU - I only stated stuff again AMD when they bring that in Intel specific articles. I be honest here, I think Majority of people using Intel does not care about the contents of these forums. Am I any different than pro-AMD fans stating just wait for 7nm and next version and such. Just agree to disagree with this stuff and keep the anti other product out of discussion. I just think people attack anybody that supports Intel - it nothing against this - but why is that these gamers attack Intel people. It appear to be similar but not as bad as with NVidia. And yes I have own NVidia GPU's - but I am not no stupid miner - and even though I feel my gaming days are starting to end - I still like it for 3d applications and such - but normal activity you really don't need a powerful GPU.
If I read the article in heise.de correctly, at least one of the newly discovered "spectre-new generation" vulnerabilities is actually even more dangerous than spectre ever was, as this new one allows attacks on other virtual machines running on the same machine, including possibly all VMs on that server. This means that AWS, Azure etc. are vulnerable. They, in turn, have various US and other government agencies as their clients, and the information in question can be quite sensitive. As to the "is this real?' question: just read the statement released by Intel in response to questions by heise.de for comment. Intel's answer is quoted verbatim in the article above. Note that Intel does not deny ANY of these vulnerabilities, nor do they dispute the severity of the problem. AMD apparently had "no comment", but a safe assumption is that they might be just as badly affected. So, if your job is somehow linked to keeping proprietary or secret information proprietary and secret, and if you or your users (including customers) utilize VMs and cloud services, then yes, that should concern you. If you're just browsing the web from your gaming rig or your smartphone and practice "basic online hygiene", you're probably okay for now.
Whatever, they will be patched anyway, but what is amazing and not acceptable is that according to the Intel CEO not following the privilege levels defined by the company itself and requiring OS kernel relocation is the intended design, no bug, amazing!
Even more amazing, people accept it and allow the company keep selling and launching the faulty products with the intended design flaw inside!
Interesting to be seing is how long time it will take Until these new problems Are corrected at hardware level. We Are suposed to see 2019 prosessors that may be fixed for Meltdown and spectre... maybe... And now we have new problems that Are fixed in 2020-2021? At hardware level I mean. Softaware fixes will come Sooner ofcourse...
CPUs that doesnt have these exploits fixed on hardware side should be 50% cheaper at least. But instead I still see them at full price. Seriously, WTF is wrong wit the economy if such huge flaws dont make a dent on prices?
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
Facebook
Twitter
RSS
77 Comments
Back to Article
eva02langley - Thursday, May 3, 2018 - link
It is kind of disturbing, is this something totally new or is it something that happened because performance was more important than security?Ryan Smith - Thursday, May 3, 2018 - link
A little of both. Side channel attacks as a concept are not new, but the ability to reliably weaponize them in this fashion is. This is stuff that previously was not thought possible. (And yet despite this, you likely don't want a CPU that can't do speculative execution)bji - Thursday, May 3, 2018 - link
Meltdown is a real issue. The seriousness of Spectre, on the other hand, is completely overblown. All you can do with Spectre is slowly, really slowly, read memory from other non-kernel processes, *if* you are able to run some very high CPU usage code for a long time without the owner/user of the computer being attacked realizes it. The value of such an attack is so low as to make it basically irrelevant -- who is going to bother burning CPU cycles to run a Spectre attack when they could use those CPU cycles to attempt numerous other much more significant and valuable attacks?I should clarify: Spectre *is* an important issue for users who run programs that store highly valuable information in memory. But the vast majority of users do not, and the cost of running a Spectra attack and also the extremely low chance of it acquiring anything of useful value, means that for end-users who don't run banks on their computers, it's a non-issue.
It's kind of like saying that for the average person, snake poison is not a danger, so we don't all keep vials of snake bite antidote with us at all times. But that doesn't mean that snake bites are not dangerous, and there are definitely people who *should* keep antivenom with them at all times -- like people who regularly travel through jungles known to be populated by venomous snakes. But would you believe someone who told you that you should keep antivenom with you at all times because a criminal may decide to attack you with a snake? Of course you wouldn't. That would be silly, because even though snakes are dangerous and theoretically a criminal could use them to attack you, why would they bother, when guns/knives/etc are so much easier to come by and use?
PeachNCream - Thursday, May 3, 2018 - link
"That would be silly, because even though snakes are dangerous and theoretically a criminal could use them to attack you, why would they bother, when guns/knives/etc are so much easier to come by and use?"I'm sure that there are people out there that think attacking someone with a danger noodle is a lot cooler than the aforementioned gun or knife even if it is more troublesome. Haven't you seen Indiana Jones or James Bond movies? The bad guy always dangles the hero over a danger noodle pit.
wanderer66 - Friday, May 4, 2018 - link
I too have many deep and important questions, abstract enough to conceal my surface-level understanding of modern CPU architecture. Frankly, I'm only here for the danger noodle.Lord of the Bored - Saturday, May 5, 2018 - link
"I'm only here for the danger noodle."That's what SHE said!
HStewart - Thursday, May 3, 2018 - link
One thing that I am frustrated with this Meltdown/spectre stuff - in my past knowledge of OS development - if non ring 0 stuff attempts to access ring 0 data - it should cause an exception by the processor. If it is from ring 0, then this should be device driver on OS and should not be certified for deployment.Are we talking about realistic issue here? or actual OS issue?
Nutty667 - Friday, May 4, 2018 - link
Accessing memory you don't have access to, DOES cause an exception, but in Intel CPU's it only does this in the retiring phase. Speculative execution that turns out to not be required doesn't get retired, so no exception is thrown.AMD's architecture is different, whereby the privilege check is also done at the start of the memory request even when performed speculatively.
You can't access this memory directly, even though it's been brought into the cache. But you can speculatively use it to cause a performance side effect in memory you can later access and by timing this access, work out what the original value brought into the cache was.
Reflex - Thursday, May 3, 2018 - link
1) Meltdown is a solved problem. It is not a 'class' of attacks where you'll see a new exploit every few months. It was found, functionality that enabled it was disabled/bypassed, and it is now gone as an issue aside from the hit on performance in certain scenarios. Continuing to bring it up outside of the contexts where it hurts performance (databases, virtual machines, etc) is a meaningless distraction.2) The idea that because Spectre is 'slow' it is not a major threat is silly. Of course if an easier exploit exists an attacker will utilize it. But that is a non sequitur, you could say that about literally any exploit. The point is that there will be times when Spectre class vulnerabilities ARE the easiest path to stealing data, especially in virtualized server environments. And the idea that its 'slow' is a relative statement, these CPU's are handling millions of operations per second, 'slow' can still mean it gets everything it needs in a few seconds. Furthermore, since Spectre is a class of issues rather than a specific exploit, it is rich for zero days and unknown exploits from well funded state and criminal actors, where you could see exploits outed years after they were exploited with no one the wiser.
Spectre is a huge problem and its scope is as yet not well understood.
bji - Friday, May 4, 2018 - link
Unless you know who you are attacking and why, spectre is useless. It's not the kind of attack that can be exploited to quickly and easily get some kind of administrative/root access on a machine, so you can't do anything useful with it except extract data. Yes, if you attack someone with known valuable data, then spectre is worthwhile.Another real world analogy for you: spectre is like being able to look at the top left corner of a person's coffee table. You have no idea what you're going to find there or if it's even useful. How many attackers are going to spend time randomly looking at the top left corner of people's coffee table hoping to find information that they can use to their benefit? Sure if the target is rich and you know they tend to leave their bank account details lying around, then it's worth doing. But this implies that you know something about your target. In the vast, vast majority of security exploits out in the wild, the attacker knows nothing about the attacked. They just attack known insecure services hoping to get something of known value -- the ability to use CPU/network cycles on the target machine, and possibly a way to take control of the machine entirely. The attack is an automated process that tries to deliver one or both of those things. A random spectre attack will net the attacker what? Some random memory from a user level process. What is the chance that they will be able to use that in any way? How much CPU power would it take to even analyze the data to sift through it to find useful things? Who would bother?
I would personally patch Meltdown because that's a much more significant attack that can reveal kernel level secrets that could very easily lead to a more substantial attack vector on the machine. Spectre on the other hand, I personally wouldn't even bother for my home systems. Just like I wouldn't bother carrying antivenom around, or ensuring that nothing is in the top left corner of my coffee table just in case someone peeks in the window.
Reflex - Friday, May 4, 2018 - link
Meltdown is already patched. Nothing more to discuss about that one. Spectre's main threat isn't home systems, its cloud based and targeted attacks (for now). You hit someone's infrastructure. Data exfiltration *is* the primary value in attacking corporate networks. And quite frankly that does impact home users when its their data being stored and then leaked.I don't expect Spectre to have much of an impact on home users, although that could change since its only started to be explored. I do expect it to have a large impact on the cloud however as it threatens the security of virtualized hosts substantially.
HStewart - Friday, May 4, 2018 - link
Just FYI, there is something called PCI 3.0 compliance - in this situation for example with restaurants - the account cards are not allow to be stored on system at all - so even if they break in the account is not found. In additional for example with VeriFone systems that have implemented full PCI 3.0 compliance - the accounts are driven by tokens ( and in some cases token less ) to if card number is retrieved - it just a token - a pseudo random on for account. Even the developers at VeriFone do not access to original account.Of course there older systems that are not compliant. some for those systems, if you could some how intercept the cache. then you can hack it.
Sunrise089 - Thursday, May 3, 2018 - link
Commenting out of love for extremely detailed snake analogyAlexvrb - Thursday, May 3, 2018 - link
I ran my 386 at half speed (disabled turbo) when things got dicey playing Snake.beginner99 - Friday, May 4, 2018 - link
Spectre is a huge issue for cloud providers. And if i rent a ec2 instance on amazon you bet I will be running it near 100% fpr most f the time I rent it. That is the point of it. Spectre is a virtualization issue.On the other hand you are right. for consumers spectre is a non-issue mostly. If hacker can run spectre, then he could run much more dangerous and easier tools as well. you lost the battle already.
epdm2be - Friday, May 4, 2018 - link
Perhaps it's time to tone down our reliance on cloud-based services?Things worked fine in the past without the cloud, so I fail to see why we can't step back. Not to mention that many of these cloud-based systems are nothing more than vendor-lock-in schemes to make easy money.
@bji thanks for the snake analogy. That was a clear and spot on explanation.
Midwayman - Friday, May 4, 2018 - link
That's the problem with snake control laws though. Only the criminals have snakes then and what are you going to do when attacked with one?epdm2be - Friday, May 4, 2018 - link
You obviously go to the hospital. They (should) have the necessary anti-venom.Why do you wan't to police yourself if you already pay for a policing institute that should catch these criminals in the first place?
Anyway, have there been real reports of Spectre-compromised systems (yet)?
frenchy_2001 - Friday, May 4, 2018 - link
Spectre does not "compromise" systems, it allows the attacker to extract data and *leaves no trace*.This is the danger of it.
It is a significant risk for *SHARED* computing, like cloud hosts.
However, it is overblown for home users.
Flunk - Friday, May 4, 2018 - link
That's one of the logical fallacies that the NRA hides behind. It's patently ridiculous. You can just as easily say."That's the problem with rocket launcher laws though. Only the criminals have rocket launchers then and what are you going to do when attacked with one?"
Or nuclear weapons, napalm, etc. The argument doesn't hold any water unless you want to argue that literally everything should be legal, regardless of how potentially dangerous it is, and then I doubt many people would agree with you.
willis936 - Thursday, May 3, 2018 - link
I don't see a reason why speculative execution would be inherently unsafe. Has anyone presented this idea with a good argument?Ryan Smith - Thursday, May 3, 2018 - link
Right now it can be used to infer the contents of other programs, including those running at other privilege levels. It's a serious issue with no obvious hardware solution. Developers can write software to essentially fence off things that are at risk, but requiring software developers to protect against hardware flaws is not a good long-term solution.willis936 - Thursday, May 3, 2018 - link
I agree. I'm specifically curious about a proof that shows that future speculative execution designs could not be made more secure. Intuitively I feel that speculative execution could be patched up but I have not put a lot of thought into it.Reflex - Thursday, May 3, 2018 - link
You can't prove a negative. There is no way to 'prove' that future designs can't be exploited. While its possible that you could secure speculative execution in such a way that it could not be exploited the ways we know of currently, we can't really guard against a future we don't know and there is always the question of whether or not the performance tradeoffs of such security won't themselves cost more in perf than the feature gains.Nothing is free.
Billy Tallis - Thursday, May 3, 2018 - link
I think you're underestimating what is possible with a formal analysis of CPU architecture. This kind of property can be proven in the mathematical sense, but full formal analysis of systems with this much complexity is almost always regarded as cost-prohibitive. And it would be an even bigger task to make backwards-compatible modifications to a current architecture to produce one that is completely immune to speculation-related information leaks but still has similar performance to current speculative architectures. It's probably easier to build a new architecture from scratch, even including the costs of breaking compatibility with all existing software.FunBunny2 - Friday, May 4, 2018 - link
"This kind of property can be proven in the mathematical sense, but full formal analysis of systems with this much complexity is almost always regarded as cost-prohibitive."oops. didn't read far enough ahead. :)
FunBunny2 - Friday, May 4, 2018 - link
"You can't prove a negative. "you sort of can. it's called a maths proof. cpu is a manifestation of symbolic logic problem. that's how von Neumann devised the computer in the first place. somewhere along the line, the maths failed. fixing hardware problems (design, not manufacturing) is a white board problem. it's in the maths.
peevee - Friday, May 4, 2018 - link
"And yet despite this, you likely don't want a CPU that can't do speculative execution"I do, if done properly. Speculative execution (beyond conditional branches) is a kludge for outdated processor architectures which place memory too far from cores, and very obvious power waste. Given that even now performance is TDP-limited, days of speculative execution need to come to their end.
willis936 - Saturday, May 5, 2018 - link
Not at all. There is no know alternative, within the current paradigm, to exploit the instruction level parallelism that speculative execution does. For there to not be a benefit you’d have to abandon the very idea of pipelined architectures.HStewart - Thursday, May 3, 2018 - link
I think we should ask the big question, are these researchers helping or hurting the industry?Especially giving rewards to people who find such issues?
What should be look at root of why people create such problems to attack in first place and create stupid Virus and malware in the first place. It has to be download from internet some where - awards should be given to prevent such activity. Not on optimizations of processer to improved performance.
Site is a little bias - it mention Intel in big print at top - but in smaller print mentions that ARM and AMD could also be effected.
Also there is nothing that provide legitimate description of what these issues are. Unless this is provided - how can we trust it.
eva02langley - Thursday, May 3, 2018 - link
Not again, just please, part with your bias.HStewart - Thursday, May 3, 2018 - link
There is no bias here - just opinion - that I think that this stuff is so over blown - and that anybody who does not think the real problem is with people who make virus and malware then they are probably in with the same people.I just concern the site ( not Amandtech but the German one ) did not provide any thing to back up there claims - just that they got 8 new issues. How reliable is that! They are the one that show bias.
ಬುಲ್ವಿಂಕಲ್ ಜೆ ಮೂಸ್ - Thursday, May 3, 2018 - link
Why should he part with something so positive as bias?If it were a negative, you could never prove it, making your statement pointless!
Just ask Reflex
eva02langley - Friday, May 4, 2018 - link
His point is kind of using the wrong terminology, what he wanted to say is that you cannot define unknowns that are unknowns.Project Management 101.
willis936 - Thursday, May 3, 2018 - link
>I think we should ask the big question, are these researchers helping or hurting the industry?This isn't a big question. This isn't really a question at all at this point because the answer has existed for decades.
HStewart - Thursday, May 3, 2018 - link
It is still the real problem, if we did not have virus and malware, than this would not be an issue.willis936 - Thursday, May 3, 2018 - link
And as quickly as it is researched publicly it is researched even faster by governments and people that have a financial or defense interest in exploiting vulnerabilities. What are you trying to argue against? The very use of computers?HStewart - Thursday, May 3, 2018 - link
"What are you trying to argue against? The very use of computers?"So creating Virus or Malware is the very use of computers? as a developer, I would say no - it trying to inject bad code on to customer system to create harm to customer.
All I am saying that is real threat here. So I believe this should be handle by OS.
XsjadoKoncept - Thursday, May 3, 2018 - link
Jesus man, how little sense can you make, and how close minded can you be? It's like saying that if governments stopped running domestic intelligence agencies to deter foreign governments from spying by figuring out how they get info and stopping it, then magically the foreign governments will just stop spying.I do dev in the finance industry - if there was a class of attack that went unknown for even a few months because bad actors got there first then we could be open to millions in losses, even bankruptcy - the internet as a marketplace would die instantly as nobody could trust it.
These people pay researchers via bounties, because exploits that remain unknown cost *FAR* more in the long run, and could kill the company entirely, either directly by allowing a competitor to supplant them - or by killing their industry entirely.
FunBunny2 - Friday, May 4, 2018 - link
"These people pay researchers via bounties, because exploits that remain unknown cost *FAR* more in the long run, and could kill the company entirely, either directly by allowing a competitor to supplant them - or by killing their industry entirely."experience, to date, is that FIRE industry has gotten off with little more than slaps on the wrist for their mal/non feasance. the current administration isn't going to hold their feet any closer to the fire (pun intended).
Reflex - Thursday, May 3, 2018 - link
We don't live in a world without viruses and malware, and governments are major perpetrators of them. It isn't going away. So back in the real world, yes it is helpful to find and disclose vulnerabilities and potential vulnerabilities. Nothing else to really discuss there.ಬುಲ್ವಿಂಕಲ್ ಜೆ ಮೂಸ್ - Thursday, May 3, 2018 - link
So.....Are you saying we "SHOULD" discuss the malware, backdoors, extortionware and other vulnerabilities that are built into Windows 10?
I'm so confused by your statement.....
Shall I discuss them or not?
I do agree, It would be very helpful to disclose them!
Reflex - Thursday, May 3, 2018 - link
If you have evidence of intentional malware, backdoors, extortionware and other vulnerabilities in Windows 10, of course you should discuss them. If they are unintentional, I would suggest following the industry standard disclosure timelines (you may even get a bounty).ಬುಲ್ವಿಂಕಲ್ ಜೆ ಮೂಸ್ - Thursday, May 3, 2018 - link
So no bounty unless they are unintentional?Drats!
Reflex - Thursday, May 3, 2018 - link
So you have nothing, eh?Death666Angel - Thursday, May 3, 2018 - link
Anandtech needs to add the ability to block people to it's commenting system.HStewart - Thursday, May 3, 2018 - link
I would agree on personal attacks on people because they have disagreement in opinion.eva02langley - Friday, May 4, 2018 - link
It was aimed partly at you pal >XDHStewart - Friday, May 4, 2018 - link
I would agree I am being attack here - just because I have a difference of opinion. But that does not give anybody a right to attack me. Let just agree to disagree on this subject.Reflex - Thursday, May 3, 2018 - link
Your comment is nonsensical. The article reports what is *known*. They acknowledge that it may also affect others, but they do not have hard evidence of that yet. My guess is that it will, but in reporting you can't state that definitively.Also, why would you not give rewards to those who find issues? I spent a lot of time as a software QA, the entire job is getting paid to find (and avoid) coding defects. No developer intentionally makes mistakes, but mistakes are made every day because code is complex (as are physical architectures). Creating bounty programs is the responsible thing to do for any company releasing complex products where it is virtually impossible to ever 100% certify everything works as intended.
HStewart - Thursday, May 3, 2018 - link
The mention article was in German, but it had no technical merits to back up its claim. If the reports are existing Spectre issues than why repeat the information and just state patching the OS with updates is not the fix.In my opinion, this is deliberate attempt to bring up an issue to bring attention to themselves. Maybe this German site - wants to bring attention to find a way to get the $250,000 from Microsoft. But are they doing more harm than value?
Reflex - Thursday, May 3, 2018 - link
I'm not certain what your issue is here. This is a news organization, they are reporting the news. They do not need to wait for confirmation so long as they are clear not to claim the news they are reporting is confirmed.HStewart - Friday, May 4, 2018 - link
It not news in forums - it is opinions - real news is based on facts.Reflex - Friday, May 4, 2018 - link
I think you don't understand the meaning of the words news or opinions.HStewart - Thursday, May 3, 2018 - link
"No developer intentionally makes mistakes"this is nonsense and out of reference to subject - I am not talking about normal development code - this would not be an security issue - but instead we are talking about virus and malware that attempts to inject themselves into OS flaws - my opinion the OS should not allow this to happen - unless there is a flaw that prevents the OS from getting exception from a non-Ring 0 code accessing Ring 0 data.
Colin1497 - Thursday, May 3, 2018 - link
Not sure if you're just intentionally being obtuse or what, but it's Heise that is reporting this, not some random web site desperate for publicity.Also, the whole point of these flaws is that the OS can't prevent them. They are hardware problems that allow non-ring 0 to access ring 0. Saying that the OS should fix these hardware flaws displays a complete lack of comprehension of what's being discussed. You should probably go back and read some of the papers on Spectre rather than posting in these comments.
Reflex - Thursday, May 3, 2018 - link
This right here. It's really clear that HStewart does not understand Spectre or the types of vulnerabilities it enables. Or basic computer security. Or the reasons why bug bounty programs exist. Or the fact that code is code and 'normal development code' has no actual meaning...HStewart - Friday, May 4, 2018 - link
keep in mind I did my OS development about 16 years ago - I do remember finding erratum in an IBM 486SLC which had hardware bug where the cache was inverted. But if there is reliable case that it processor allows access to ring 0 data from non-ring 0 this should be corrected - but if something that OS leaves open - then the OS should be correct.But it is interesting that Spectre is only in cloud servers - which sounds like OS issue - I believe if I remember right Linux servers first heard about this.
Reflex - Friday, May 4, 2018 - link
Spectre is an issue in all systems. It is not only in cloud servers. Cloud servers merely have more avenues where exploitation of Spectre would be advantageous for attackers.Spectre is also not OS specific, it impacts all major OS's ranging from Windows to Linux and OS X and their derivatives.
Spunjji - Friday, May 4, 2018 - link
Please understand I mean nothing personal when I say that this comment is completely without merit. Bad actors already have incentives to find vulnerabilities (the pay-off of whatever it is they want to do, e.g. steal financial information, sabotage another government's infrastructure, etc.) so, yes, it is of unquestionable value that we provide incentives to white-hats to find the same kind of flaws first and successfully document and patch them.The article mentions Intel in the context of an Intel announcement. Would you like them to make up announcements from AMD and ARM to go with it?
The article explains why there is no "legitimate description" - it's not yet fully investigated.
In summary, please read more and type less.
dgingeri - Thursday, May 3, 2018 - link
Yeah, great. The first time in 8 years I've managed to get a motherboard that doesn't have any problems aside from too few USB ports, and now I find out the processor is going to be dragged down in performance even more than before.rocky12345 - Thursday, May 3, 2018 - link
Yep when they outed these exploits I said they just opened up a can of worms. I stated that if these exploits had been on systems for all of these years and no one had ever found them before all of this took place chances are very high no one would have ever found them. I had someone tell me well maybe the reason we have had all of these attacks in the past was from these exploits in the CPU's. My reply was well hackers like to think they are 1337 and would have tried to take credit and promoted that they had just hacked crap of all cpu's ever made. Since we have never heard of any of them taking credit for that it stands to reason that they never found these exploits and would have never found them.Now that it is all out in the open we have had a huge mess to deal with and of coarse every hacker in the world is now clued in and are working like busy little beavers trying to by pass all of the patches and micro code updates.
pepoluan - Thursday, May 3, 2018 - link
> chances are very high no one would have ever found themIn your ideal world, yes. But in this world, there's high probability that well-funded researchers of intelligence agencies and state-sponsored hacker groups have already found them.
> would have tried to take credit and promoted that they had just hacked crap of all cpu's ever made
Only for amateur hackers. Professional hackers know how to keep a secret.
> by pass all of the patches and micro code updates
Not something easy to do if done properly. Just look at all those Critical CVEs that have been fixed. Once they are fixed, nearly all of them cannot be sidestepped.
All in all, RESPONSIBLE disclosure is needed so the good guys can erect additional barriers against the bad guys.
golemB - Thursday, May 3, 2018 - link
Yeah... pretty sure that HStewart and the Thai(?)-sounding names are Russian trolls. Casting doubt on the existence of nation-state level exploits, typical problems writing in English, overly focused on attributing corrupt motives to others. I'd say if Putin wants to waste rubles hiring these idiots to push such stupid arguments, it's better than having them doing straight political disinformation, but I also don't want the relatively high quality comment threads on AT to turn into a toxic swamp that discourages real people from participating.Spunjji - Friday, May 4, 2018 - link
Genuinely not sure if HStewart is a troll - I have encountered more than a few people whose comprehension is so strained that they find simple concepts troublesome and tend to assume that everyone around them is either hostile or trying to somehow fool them.eva02langley - Friday, May 4, 2018 - link
No, you are just mistaking them with Intel fanboys. They could be employed by Intel to spread the good word...HStewart - Friday, May 4, 2018 - link
Please stop speaking misinformation about me - I just have 30 years of experience in development include almost 7 years of experience in x86 assembly in the USA. I might be in my 50's and a geek with my English less than part - but surely not a Russian troll.I used to build gaming machines but I have grown up since that. I do like Intel because if you look back they are original producer of the x86 processor - AMD was a clone manufacture because of requirements by IBM on original IBM PC - which is I have one store away in closet.
I would say I am not an AMD Fan boy because they attack people except if they are pro AMD. I don't really care if AMD fanboy's support they AMD but telling others that they should support Intel is not professional .
Lets be mature here and just agree to disagree. I have a different opinion on this stuff
Please stop with the personal attack - be professional and only discuss the topic not against the readers - unless you want this forum to come like WCCFTech.
HStewart - Friday, May 4, 2018 - link
Stewart is my first name and H is first letter of my last name - got it.sa666666 - Friday, May 4, 2018 - link
Is the heat getting too much for you? I think it's just that people are starting to see through your antics, and that you are a hard-core Intel fanboi, whether you will admit it or not.*Every* article that is pro-Intel, you are there in the first few threads. And if an article is anti-Intel (at least by your standards), you're there inserting stuff about AMD, even when the article doesn't mention anything about AMD. It's almost as if you have an inferiority complex and have to constantly defend Intel and your insecurities about it.
You've said in other posts that you're glad that this Meltdown/Spectre thing is finally past, so we can stop talking about it. What you really mean is that you want it to be over, so (poor) Intel can stop being blasted about Meltdown, which doesn't affect AMD (that must be KILLING YOU to admit that).
In another post, you say that you wouldn't buy AMD CPUs because of how users attack people. Seriously, who in their right mind bases purchasing decisions on how a certain part of the userbase acts? This is the height of foolishness.
In other posts, you are constantly defending that Intel is late with 10nm, while downplaying 7nm from other manufacturers. And you actually believe what you're saying.
Look, you are by far the biggest pro-Intel fanboi I have ever encountered. It's getting to the point that you don't even have to open your mouth or post a message. We can just look at the title of an article and know that (a) you will be there, and (b) you will be rigourously supporting Intel and bashing everything else. And TBH it's getting tiring.
I suppose I will now be labelled as an AMD supporter and 'attacking' you. Never mind the fact that I have both an AMD 1800x *and* Intel 8700K systems. But I'm starting to regret the latter purchase because of Meltdown slowdowns (which are real, whether you admit it or not). But any regret I have for buying Intel is not because of how an Intel fanboi is treating me; it's because of the faulty hardware.
HStewart - Friday, May 4, 2018 - link
The problem is that most people in these computer forums assume that Meltdown / Spectre is Intel only - at least AnandTech - does not list it as Intel CPU - but just CPU. Spectre NG is document to effect Intel, AMD and ARM.To be honest this Meltdown/Spectre stuff has not even been notice by me.
On the 10nm vs 7nm - 10nm is not release and I believe that Intel is not going to release it until it absolutely ready - I am just taking there word. Do you really believe that just because 7nm is smaller then 10nm - it means it is more dense - we need to honestly wait until Intel release 10nm. I just remember the frequency wars and just because higher number does not mean higher performance. In Pentium 4 days AMD actual beat Intel.
I am not Anti-AMD, I am Anti-Anti-Intel
Basically lets just agree to disagree - buy the way I not 100% anti-AMD., I was extremely impressed with Dell XPS 15 2in1 especially with that in such a small size it can also have a discrete - I was not sure that I could trust AMD GPU - but I give it a try - only thing I notice specifically about it - is that Steam VR test did not detect it - also I notice older games like SIM 3 crash but SIMS 4 works. I also notice that I had to tweak Photoshop CS 5 because of resolution - but that is not related to Vega GPU - but because of 4k screen.
Of course I own Intel and support Intel - simply because they originally created the CPU - I only stated stuff again AMD when they bring that in Intel specific articles. I be honest here, I think Majority of people using Intel does not care about the contents of these forums. Am I any different than pro-AMD fans stating just wait for 7nm and next version and such. Just agree to disagree with this stuff and keep the anti other product out of discussion. I just think people attack anybody that supports Intel - it nothing against this - but why is that these gamers attack Intel people. It appear to be similar but not as bad as with NVidia. And yes I have own NVidia GPU's - but I am not no stupid miner - and even though I feel my gaming days are starting to end - I still like it for 3d applications and such - but normal activity you really don't need a powerful GPU.
eastcoast_pete - Thursday, May 3, 2018 - link
If I read the article in heise.de correctly, at least one of the newly discovered "spectre-new generation" vulnerabilities is actually even more dangerous than spectre ever was, as this new one allows attacks on other virtual machines running on the same machine, including possibly all VMs on that server. This means that AWS, Azure etc. are vulnerable. They, in turn, have various US and other government agencies as their clients, and the information in question can be quite sensitive. As to the "is this real?' question: just read the statement released by Intel in response to questions by heise.de for comment. Intel's answer is quoted verbatim in the article above. Note that Intel does not deny ANY of these vulnerabilities, nor do they dispute the severity of the problem. AMD apparently had "no comment", but a safe assumption is that they might be just as badly affected. So, if your job is somehow linked to keeping proprietary or secret information proprietary and secret, and if you or your users (including customers) utilize VMs and cloud services, then yes, that should concern you. If you're just browsing the web from your gaming rig or your smartphone and practice "basic online hygiene", you're probably okay for now.LordanSS - Friday, May 4, 2018 - link
Having a solid but disagreeable opinion is one thing. Having nonsense is something else altogether.SydneyBlue120d - Friday, May 4, 2018 - link
Could this be the real reason behind Jim Keller hiring?eva02langley - Friday, May 4, 2018 - link
Nah, it is more for everything. I really doubt he is going to focus on such low level issues. People at his positions are more high level managers.wow&wow - Friday, May 4, 2018 - link
Whatever, they will be patched anyway, but what is amazing and not acceptable is that according to the Intel CEO not following the privilege levels defined by the company itself and requiring OS kernel relocation is the intended design, no bug, amazing!Even more amazing, people accept it and allow the company keep selling and launching the faulty products with the intended design flaw inside!
haukionkannel - Friday, May 4, 2018 - link
Interesting to be seing is how long time it will take Until these new problems Are corrected at hardware level. We Are suposed to see 2019 prosessors that may be fixed for Meltdown and spectre... maybe... And now we have new problems that Are fixed in 2020-2021? At hardware level I mean. Softaware fixes will come Sooner ofcourse...Beaver M. - Sunday, May 6, 2018 - link
CPUs that doesnt have these exploits fixed on hardware side should be 50% cheaper at least. But instead I still see them at full price.Seriously, WTF is wrong wit the economy if such huge flaws dont make a dent on prices?