SoylentNews is people
SoylentNews
from the I'm-going-back-to-using-an-Abacus dept.
Security Researchers Publish Ryzen Flaws, Gave AMD 24 hours Prior Notice
Through the advent of Meltdown and Spectre, there is a heightened element of nervousness around potential security flaws in modern high-performance processors, especially those that deal with the core and critical components of company business and international infrastructure. Today, CTS-Labs, a security company based in Israel, has published a whitepaper identifying four classes of potential vulnerabilities of the Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processor lines. AMD is in the process of responding to the claims, but was only given 24 hours of notice rather than the typical 90 days for standard vulnerability disclosure. No official reason was given for the shortened time.
[...] At this point AMD has not confirmed any of the issues brought forth in the CTS-Labs whitepaper, so we cannot confirm in the findings are accurate. It has been brought to our attention that some press were pre-briefed on the issue, perhaps before AMD was notified, and that the website that CTS-Labs has setup for the issue was registered on February 22nd, several weeks ago. Given the level of graphics on the site, it does look like a planned 'announcement' has been in the works for a little while, seemingly with little regard for AMD's response on the issue. This is compared to Meltdown and Spectre, which was shared among the affected companies several months before a planned public disclosure. CTS-Labs has also hired a PR firm to deal with incoming requests for information, which is also an interesting avenue to the story, as this is normally not the route these security companies take. CTS-Labs is a security focused research firm, but does not disclose its customers or research leading to this disclosure. CTS-Labs was started in 2017, and this is their first public report.
CTS-Labs' claims revolve around AMD's Secure Processor and Promontory Chipset, and fall into four main categories, which CTS-Labs has named for maximum effect. Each category has sub-sections within.
Severe Security Advisory on AMD Processors from CTS.
Also at Tom's Hardware, Motherboard, BGR, Reuters, and Ars Technica.
(Score: -1, Offtopic) by Anonymous Coward on Wednesday March 14 2018, @12:58PM
https://78.media.tumblr.com/tumblr_m6682mxtuF1rt0g8wo1_500.gif [tumblr.com]
(Score: 4, Interesting) by The Mighty Buzzard on Wednesday March 14 2018, @01:01PM (23 children)
People, distribute your shit as something other than a compiled document format or I won't be reading it unless it's directly necessitated by my job. I don't need your bitch asses telling me the fonts and layout I have to view your document in. It pisses me off.
My rights don't end where your fear begins.
(Score: 1, Insightful) by Anonymous Coward on Wednesday March 14 2018, @01:05PM (13 children)
wit yo bitch slap rappin and yo cocaine tongue you get
NOTHING DONE!
(Score: 2) by The Mighty Buzzard on Wednesday March 14 2018, @01:24PM (12 children)
Heh, that's from back when Axl wasn't near so much of a little bitch. Glad I'm not the only ancient person here.
My rights don't end where your fear begins.
(Score: 2) by Grishnakh on Wednesday March 14 2018, @02:46PM (11 children)
Axl was always a little bitch. But back then, he was entertaining, talented, and also managed to hold his band together so they could actually produce a good amount of material and get it published, and go on tour with it. Somewhere in the mid-90s it all fell apart and he couldn't keep things together for some reason.
I definitely miss those days, at least for the music. Today's music is crap, and it's not because I'm older. Music went down the tubes in the US starting with grunge and "alternative", and then really went to hell after ~2000, which, I hate to say it, seems to coincide with Napster and file-trading (but also coincides with widespread availability of the internet).
(Score: 3, Insightful) by The Mighty Buzzard on Wednesday March 14 2018, @03:02PM (7 children)
IMO, the only ones who did grunge properly were Nirvana. Nevermind belongs in any fan of American music's collection. It did come out at a time that was more or less the beginning of the end for good rock music in the US though.
It's not even just rock either. Country music kind of went to shit around the same time. Most of what you hear nowadays on country stations could be more accurately described as twang-pop and is preformed by manscaped little bitches whose boots have never seen cow shit and soulless, carbon copy blonde chicks who grew up in suburbia.
Looking back, you know what I think caused it all? Johnny Cash died.
My rights don't end where your fear begins.
(Score: 1) by fustakrakich on Wednesday March 14 2018, @04:11PM
Johnny Cash died.
The bastard!
La politica e i criminali sono la stessa cosa..
(Score: 2) by Grishnakh on Wednesday March 14 2018, @04:39PM (4 children)
IMO, the only ones who did grunge properly were Nirvana. Nevermind belongs in any fan of American music's collection.
I was never much of a fan of grunge, but I did like Pearl Jam's first album, Ten, and have it in my collection. But I didn't like anything they made afterwards.
Most of what you hear nowadays on country stations could be more accurately described as twang-pop
I've heard it called "redneck rock". Though I haven't listened to much country, I agree that it definitely seems that it's lost whatever authenticity that it once had.
Looking back, you know what I think caused it all? Johnny Cash died.
No, you could just as easily blame it on anything else that coincided, such as the invention of the WWW, the move away from boxiness in cars (remember how boxy 80s cars were?), the first Gulf War, the breakup of the Soviet Union, etc.
It'd be interesting to arrange a panel of long-time music industry insiders and see what they come up with after asking them to debate it. I think it's probably a convergence of many different factors; the internet might be part of it, but I saw music going downhill in the early 90s, before Napster was invented and before MP3 became a thing, though the internet seemed to make it worse. Also, it seems like things are really different overseas; back in the 80s I think western Europeans and Americans shared much of the same tastes in music (look how many pop acts crossed the ocean--ABBA was from Sweden for instance, and lots of rock bands came from England such as Def Leppard and of course The Beatles), whereas after this shift it seemed that Americans went their own way with music, and now there's little or nothing crossing the Atlantic like before. I've been a big metal fan, but in the 90s Americans completely lost all interest in metal, whereas in Europe and even Japan it stayed popular for a long time, and is still much more popular there than here.
(Score: 0) by Anonymous Coward on Wednesday March 14 2018, @04:56PM
"But I didn't like anything they made afterwards."
sounds about right for you.
(Score: 2) by The Mighty Buzzard on Wednesday March 14 2018, @05:17PM (1 child)
Well it was mostly said in jest but there's a case to be made that Cash had a bigger influence on American music culture than most anyone else due to his inter-demographic popularity, his longevity, and a style that fit in as well with Elvis as it did with Willie or NIN.
My rights don't end where your fear begins.
(Score: 2) by deimtee on Thursday March 15 2018, @11:34AM
Johnny Cash's version of 'Hurt' is one of the most moving and awesome songs ever.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 1) by redneckmother on Wednesday March 14 2018, @05:32PM
It all seemed to fall to shit with the advent of "formula rock", where startup bands copied riffs, themes, and progressions from the "greats".
Mas cerveza por favor.
(Score: 2) by RamiK on Wednesday March 14 2018, @11:21PM
Dilly Dally [youtube.com] might be up your alley. Honestly I only found about them now looking up "modern grunge 2017" and ending up in this post [reddit.com] which is full of bands you might like...
Personally, Nirvana was something of a first love for me so I can't really say I'm not fond of popular music at all... But somewhere along The Black Dahlia Murder's What A Horrible Night To Have A Curse, Russ Liquid's Feral Cat, Animals As Leaders's An Infinite Regression and Meshuggah's The Demon's Name Is Surveillance, I've realized I'll never find music I like unless I'll actively look it up. Take it however you like it.
Btw, Tool finally booked recording time: https://consequenceofsound.net/2018/03/tools-new-album-is-about-to-begin-in-earnest/ [consequenceofsound.net] Came up reading your post and realizing the only country I ever liked was a certain Pusifer track [youtube.com] :D
compiling...
(Score: 3, Insightful) by letssee on Wednesday March 14 2018, @04:57PM (2 children)
There might be something to that correlation (the rise of shitty music vs the rise of the internets).
It's not that there's less good music today. People are making *lots* of good music everywhere. it just stays in their respective niche markets and the 'pop' market which is played on radio/tv and linked to from the main interwebs pages is getting more bland by the year.
I think it has something to do with the big record labels playing it safe all the time. Also, the 'record deal' is not really the holy grail in musicianship anymore. Selling CD's has become a form of promotion, and not your main source of income. Playing live is where you have to make your money now (just like pre-1900 actually, but harder because people don't *need* to book a band to have music). Most band I like self-publish their music these days. But the self-published stuff won't be heard in the 'mainstream' media of course.
(Score: 2) by Grishnakh on Wednesday March 14 2018, @05:31PM (1 child)
I think it has something to do with the big record labels playing it safe all the time.
I think there may be something to that, and I think there's a big parallel in the movie industry. They don't make risky movies much any more, so we don't see big blockbusters like "Alien" (which at the time was an all-new thing) or Blade Runner, but instead we do see sequels to these decades-old movies. In their mind, it's better to make a smaller profit on a big-budget sequel/franchise movie (like yet another Marvel comic movie) than to potentially make a giant profit on something all-new, but risk it being a flop.
(Score: 2) by cubancigar11 on Thursday March 15 2018, @04:26AM
I will build on it and say that it is because public is media saturated and that makes it difficult for it to try something new unless it has been heavily marketed. When you have to have multi-million dollar budget just for marketing of an already well established brand like marvel, imagine the minimum risk involved in a new concept.
TL;DR After watching tub-girl and goatse one will prefer watching a safe formulaic movie.
(Score: 2, Interesting) by pTamok on Wednesday March 14 2018, @01:51PM (3 children)
You don't have to view it with the original fonts and layout.
Open it in your chosen PDF reader application.
Select All
Copy
Paste into your text editor of choice
Make any changes you wish
Read
Your problem is one experienced by blind and partially-sighted people the world over, however many people understand that documents should be made accessible. This normally means accessible to the software used by people with hindrances to their sight, but often has the side effect of making the text available to people who prefer to view it in other ways than the originator decided.
The above process doesn't always work, depending on what restrictions the PDF creators have wished to impose on the document, but in general, if documents are made accessible to the blind and partially sighted, you will be able to alter the format to your wishes too. So it makes sense to support making documents accessible, and encouraging other people to do the same.
(Score: 3, Informative) by The Mighty Buzzard on Wednesday March 14 2018, @02:06PM (2 children)
Yep, that's my beef. Otherwise I'd just automate the conversion and only be mildly annoyed once in a while. It's not just creator's preference though, it's epically fucked up layout decisions as well. Less than half of the PDF files I've ever tried to convert to text have managed to be anything but FUBAR on output.
My rights don't end where your fear begins.
(Score: 1) by pTamok on Wednesday March 14 2018, @03:16PM
That is my experience as well.
I suspect some of it is deliberate, to prevent easy copyright violations - things like random line breaks appearing in words, and random spaces added. I have even come across documents where there was a line break after each character. One of the worst was one where every pair of lines was swapped. People using screen-reading aids would have had no chance of making anything intelligible from those documents.
(Score: 4, Informative) by deimtee on Thursday March 15 2018, @11:47AM
I work in printing. This pisses me off no end. The original purpose of PDF was a format that looked the same everywhere. Set it up on your screen, PDF it, check the PDF and then send it to me. The printed copy will look identical to what you saw on your screen when looking at the PDF. That was the purpose of PDF. (and up to PDF4 worked great)
Then fucking Adobe got greedy, tried to add shit to PDF that was not compatible with static formats to 'take over the web', fucked it up for printing, and it's still shit for everything else they try to foist it off onto. Arseholes the lot of them.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 3, Insightful) by Whoever on Wednesday March 14 2018, @03:31PM (1 child)
They don't care about you.
This looks like a hit-piece and you are not the target audience.
(Score: 4, Interesting) by jmorris on Wednesday March 14 2018, @09:19PM
Yup, nailed it. This document has an audience of one, the guy at Microsoft who approved the mass purchase of AMD product for Azure.
Read it, any vuln affecting servers and cloud will focus on exploiting Linux and mention Microsoft's legacy product as an aside. This one is 100% focused on Windows and Azure to the point it never even mentions the existence of another operating system. The exploits do not provide enough detail to say much with certainty, but that isn't the point. The point is to create enough FUD to pause the rollout that was probably about to begin. This document clearly comes directly from Intel's Israeli operation.
The only one that looks threatening is the last one, "Chimera". And if any ASMedia USB controller is impacted then a hell of a lot of Huggies are about to get filled.
(Score: 2) by Walzmyn on Wednesday March 14 2018, @03:46PM (1 child)
Ooohhh, you're not fooling us!
We know you don't have a job!
(Score: 2) by The Mighty Buzzard on Wednesday March 14 2018, @03:56PM
Working for other people is for suckers. If you're not already in agreement with me, give it a few years and you will be.
My rights don't end where your fear begins.
(Score: 2) by epitaxial on Wednesday March 14 2018, @11:24PM
Sounds like your problem using an OS that can't view a PDF file.
(Score: 1, Insightful) by Anonymous Coward on Wednesday March 14 2018, @01:10PM (1 child)
Step One: you build hardware with a backdoor.
Step Two: world+dog get use of your "secret" backdoor. Who'da thunk it?
It happened a thousand times or so, Totally Unexpected every single time.
(Score: 2) by bob_super on Wednesday March 14 2018, @07:54PM
More than halfway down the page ... the first on-topic comment.
Not necessarily the most useful or entertaining, but credit for keeping your focus.
(Score: 5, Interesting) by Anonymous Coward on Wednesday March 14 2018, @01:10PM (7 children)
I thought this was already debunked yesterday? I heard they are actual unplanned behaviours that you need physical root access to take advantage of, at which point the point is moot. Also the big deal with meltdown/spectre was the performance hit of fixing them, but no mention of that in this case.
Further that the people behind this are known stock manipulators, without any security expertise, and may have also been funded by intel (although that last part seemed to be only wild speculation).
(Score: 0) by Anonymous Coward on Wednesday March 14 2018, @01:24PM
Earlier discussions:
https://www.reddit.com/r/AMD_Stock/comments/844vht/techies_discuss_amdflawscom/ [reddit.com]
(Score: 1, Insightful) by Anonymous Coward on Wednesday March 14 2018, @01:27PM (4 children)
Problem is not whether you need root for it. Problem is whether you need a new computer after it.
Local root exploits do regularly surface, at least a few every year. Add a payload that persists till you scrap the hardware, and suddenly they become MUCH more profitable.
(Score: 0) by Anonymous Coward on Wednesday March 14 2018, @02:04PM (3 children)
Is that the case here?
(Score: 2) by tonyPick on Wednesday March 14 2018, @02:27PM (2 children)
Yes: From the Ars Technica article:
And to quote from the paper the attacks:
So you may not have exposed root, but how do you know what happened to the chip before you got it? That's a big problem.
(Score: 1, Interesting) by Anonymous Coward on Wednesday March 14 2018, @03:24PM (1 child)
If attackers can run code on the secure pricessor then can't the user as well?
(Score: 2) by jasassin on Thursday March 15 2018, @03:50PM
Nope. The user definitely cannot run code on the secure pricessor.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 2) by FatPhil on Thursday March 15 2018, @11:47AM
Domain Name: safefirmware.com
Registrar URL: http://www.godaddy.com
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by DannyB on Wednesday March 14 2018, @02:06PM (10 children)
A different approach.
The writing about designing software to exploit multiple cores has been on the wall for more than a dozen years.
How about a larger number of somewhat slower cores, that are of simple(er) design. Without all kinds of contortions to make a single thread run at the ultimate speed. Especially contortions that lead to security issues, such as leaking timing information when addressing memory pages of other processes. Make it simpler. Make it verifiable. Not only for execution correctness. But for security correctness.
Maybe I'm wrong, but it seems to me that there are not that many things, especially desktop computer operations, that cannot be done on multiple cores. Many raster graphics operations (eg, Photoshop) are embarrassingly parallel. And codecs. Even recomputing a spreadsheet, with all its cell interdependencies could be done in parallel by multiple cores -- and presents a very interesting challenge to do so. When you insert one line into a word processer, document, there are ways to rapidly re-paginate all of the subsequent pages up to the next manually inserted page break.
I would like to see the next bragging rights be about how many cores your system has instead of a nominal (sometimes meaningless) increase in clock speed. What? Your system has only 64 cores? Well my system has 96 cores, so there! Etc.
Maybe there is an opportunity for newer architecture processors here? Intel's architecture has over 40 years of baggage. It was designed to be source code (assembler) compatible with 8080. That's a pretty lousy design goal in hindsight, that saddled us with segment registers for several decades while the classic Mac had the nice clean 68000 instruction set that was a pleasure to program (yes, in assembly). With a powerful enough macro assembler you could almost macro-ize your code to create stack frames, push parameters, create local variables, etc to almost have "C".
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 3, Informative) by The Mighty Buzzard on Wednesday March 14 2018, @02:24PM (8 children)
In theory you're not wrong. In practice you are. In theory, there aren't many things that can't be broken down into very simple tasks and done in parallel, asynchronously, or both. In practice, being able to identify them and program that way is not something the majority of programmers are especially good at.
My rights don't end where your fear begins.
(Score: 2) by tonyPick on Wednesday March 14 2018, @02:32PM
On this subject see Also: https://en.wikipedia.org/wiki/Amdahl%27s_law [wikipedia.org]
And this discussion of when it applies, and when it does not [archive.org]
(Score: 4, Informative) by DannyB on Wednesday March 14 2018, @02:44PM (6 children)
It seems that if systems got more and more cores, the incentive to exploit them would drive programmers to become good at this.
People already go through horrible contortions to exploit the power of GPUs for non-graphics tasks. Imagine if you could use any language(s) you liked, but simply broke your program up to use concurrent threads. There are already various ways to exploit this. Message passing frameworks. Fork/Join operations that are easy to use.
Here is but one simple practical example of Fork/Join that I used some months back. On a personal side project, unrelated to work. I need to produce a "heat map" type plot on a polar axis (eg, center point, with compass bearing and elevation). I need to process millions or tens of millions of data points to produce this plot. I create a 2D array of "buckets" of average signal strength. Each bucket in the array represents the strength of a pixel (eg color) on the plot. Each bucket has a sum and an average. (Later also min, max, etc) Now simply loop over all of the data points. Each data point lands into exactly one bucket, depending on that data point's compass bearing from the center point and elevation above the horizon. When a data point is added to a bucket, you simply add its signal strength and increment the number-of-points counter. Thus when it comes time to draw the plot, the average is easily computed as total strength divided by number of points.
Great. But it takes too long to plot. Many seconds. Maybe up to a minute. On a fast machine. Especially as number of data points keeps increasing over time.
New approach. Do it in parallel. Take, say 30 million points, and break it up into "work units". Let's say half a million points per work unit. Put the work units into a queue. Use Java's Executor framework to create executors (enough so that every core can run one). The framework takes a work unit off the queue and hands it to an executor. Each executor is a pure function. It takes the work unit (a set of data points) and produces a single result, the 2D array of bucket averages. The results are put into an output queue. Another process reduces the 2D arrays by smashing them together. Corresponding points of each bucket in 2 arrays are accumulated together, until ultimately you have one single 2D array that represents the entire result.
The speedup was dramatic. You could see all of the cpu cores light up. The whole thing was done in a few seconds. Now it was easy to alter plot parameters and almost immediately see drawn results.
I used easy to use frameworks in Java to do this. (and Swing.)
It's just a change in the way of thinking. Programmers need to start thinking like this. It is the future. There is only so fast you can make CPUs go. But we can continue adding more and more transistors. So what will happen? Either we'll keep making single cores have way more transistors, or we'll eventually start making more and more cores. Cheaper and cheaper.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2) by DannyB on Wednesday March 14 2018, @02:46PM
Just to add: My new approach was literally a map/reduce. Each work unit was "mapped" by a function. So transform one list into another list. And then reduce pairwise items in the list until a single 2D array remains.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2) by The Mighty Buzzard on Wednesday March 14 2018, @03:07PM (4 children)
You'd think. Apparently it's just not the way most people's brains work. I mean we have sixteen core desktop processors that can run thirty-two threads at once and not much has changed. I really don't understand why though. Even my IRC bot is multi-threaded and asynchronous. Maybe I'm just weird.
My rights don't end where your fear begins.
(Score: 2) by DannyB on Wednesday March 14 2018, @03:45PM (3 children)
Ten years ago I did not find it straightforward to think this way.
I considered that, logically, having to parallelize is the way of the future. Inevitable, IMO.
So I begin trying to think this way. I think it like learning to code in the first place. You just have to practice. Maybe early in one's learning, the whole idea of thinking this way needs to be introduced. With examples. And it doesn't hurt if more languages had easy to use frameworks to easily do map/reduce operations easily with ease quite easily.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2) by The Mighty Buzzard on Wednesday March 14 2018, @04:01PM (1 child)
Well, not everything's big data even today, so map reduce proficiency would be of limited usefulness to programmers as a whole. Being able to write your program in such a way as to eliminate threading bottlenecks though, that should be required for every code monkey's mental toolbox.
My rights don't end where your fear begins.
(Score: 2) by DannyB on Wednesday March 14 2018, @04:38PM
Map / Reduce is not just for big data.
It is something any Lisp programmer understands, long before big data.
I just gave an example where I did map/reduce in a desktop GUI application. (I mentioned "Swing" on Java) And got a dramatic performance improvement.
I increasingly see applications of the technique without big data.
(Unless you consider my input data file of tens of millions of data points to be big data.)
Using map / reduce, or message passing frameworks are both ways for an average code monkey to write correct multi-threaded code. Part of this is to have higher order languages that provide suitable abstractions.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 3, Insightful) by TheRaven on Wednesday March 14 2018, @05:03PM
sudo mod me up
(Score: 2) by takyon on Wednesday March 14 2018, @03:01PM
With the Ryzen/Threadripper and Core i9 launches, we've pretty much gotten to that point. And the wide availability of 8+ cores will hopefully lead to more parallelism where possible.
As for the baggage, maybe Intel could do something silly like use EMIB to put ARM cores on every x86 chip. Or make their chips more FPGA-like. But I expect they will just accumulate more baggage, save for some features cut down due to known security risks.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 5, Interesting) by LoRdTAW on Wednesday March 14 2018, @03:33PM (1 child)
I've been reading up on this myself and found an article questioning the motivations of the hackers responsible for the release. Apparently there is a connection between the groups founder and his financial company which has profited from stock bashing before. This looks like a fraud case where the "hackers" are really banksters looking to devalue AMD's shares.
Source: https://www.gamersnexus.net/industry/3260-assassination-attempt-on-amd-by-viceroy-research-cts-labs [gamersnexus.net]
HN discussion: https://news.ycombinator.com/item?id=16582619 [ycombinator.com]
(Score: 1, Funny) by Anonymous Coward on Wednesday March 14 2018, @03:58PM
If perception of amd processors can be hacked isnt that a vulnerabilty itself? A processor must be beyond reproach.
(Score: 2) by linkdude64 on Thursday March 15 2018, @03:25PM
Funny coincidence that that's where AMD's largest competitor has a lot of their business.
(Score: 2) by takyon on Friday March 16 2018, @08:16PM
https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs [anandtech.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]