Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday January 07, @11:18PM   Printer-friendly
from the everyone-out-of-the-pool dept.

Arthur T Knackerbracket has found the following story:

Qualcomm has confirmed its processors have the same security vulnerabilities disclosed this week in Intel, Arm and AMD CPU cores this week.

The California tech giant picked the favored Friday US West Coast afternoon "news dump" slot to admit at least some of its billions of Arm-compatible Snapdragon system-on-chips and newly released Centriq server-grade processors are subject to the Meltdown and/or Spectre data-theft bugs.

[...] Qualcomm declined to comment further on precisely which of the three CVE-listed vulnerabilities its chips were subject to, or give any details on which of its CPU models may be vulnerable. The paper describing the Spectre data-snooping attacks mentions that Qualcomm's CPUs are affected, while the Meltdown paper doesn't conclude either way.

[...] Apple, which too bases its iOS A-series processors on Arm's instruction set, said earlier this week that its mobile CPUs were vulnerable to Spectre and Meltdown – patches are available or incoming for iOS. The iGiant's Intel-based Macs also need the latest macOS, version 10.13.2 or greater, to kill off Meltdown attacks.

Google has decided to publicly disclose the well speculated on CPU based security flaw ahead of their original schedule as a response to the rapidly increasing amount of information that is becoming available. It's official: Google was able to construct a PoC that can read kernel memory at a speed around 2000 bytes per second from a user space application. An overview of the situation is available at the Project Zero blog. Despite the AMD Linux kernel patch that disables the existing known mitigation for their processors Google specifically names AMD CPUs as suffering from the flaw along with Intel and ARM.

Linus Torvalds: "Is Intel basically saying 'We are committed to selling you shit forever and ever, and never fixing anything'?"

Linux creator Linus Torvalds has had some harsh words for Intel in the course of a discussion about patches for two bugs that were found to affect most of the company's processors. [...] Torvalds was clearly unimpressed by Intel's bid to play down the crisis through its media statements, saying: "I think somebody inside of Intel needs to really take a long hard look at their CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed."

The Finn, who is known for never beating about the bush where technical issues are concerned, questioned what Intel was actually trying to say. "Or is Intel basically saying 'we are committed to selling you shit forever and ever, and never fixing anything'?" he asked. "Because if that's the case, maybe we should start looking towards the ARM64 people more."

Intel Says Updates Will Render Systems "Immune" to Meltdown and Spectre Exploits

What does "immunity" to the "Meltdown" bug mean, and at what cost does it come?

Intel says it has developed and is issuing updates for all types of Intel-based machines that will "render those systems immune from both exploits (referred to as 'Spectre' and 'Meltdown') reported by Google Project Zero. "Intel has already issued updates for the majority of processor products introduced within the past five years," says an Intel spokesperson. "By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years."

Intel's reference to "immune" is an interesting twist in this saga. The New York Times reported yesterday that Spectre fixes will be a lot more complicated as they require a redesign of the processor and hardware changes, and that we could be living with the threat of a Spectre attack for years to come. Intel's wording appears to suggest that this isn't the case for its own processors and security fixes.

Intel is facing class action lawsuits over Meltdown:

Just days after The Register revealed a serious security hole in its CPU designs, Intel is the target of three different class-action lawsuits in America.

Complaints filed in US district courts in San Francisco, CA [PDF], Eugene, OR [PDF], and Indianapolis, IN [PDF] accuse the chip kingpin of, among other things, deceptive practices, breach of implied warranty, negligence, unfair competition, and unjust enrichment.

The RISC-V Foundation would like to remind you that RISC-V is not affected.

Previously: Major Hardware Bug Quietly Being Patched in the Open
Patch for Intel Speculative Execution Vulnerability Could Reduce Performance by 5 to 35% [Update: 2]
Don't Expect Intel Chip Recall After Spectre and Meltdown, CEO Says



Original Submission #1Original Submission #2Original Submission #3Original Submission #4Original Submission #5

Related Stories

Major Hardware Bug Quietly Being Patched in the Open 54 comments

Spotted over on HN:

The mysterious case of the Linux Page Table Isolation patches (archive)

tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.

Turns out 2018 might be more interesting than first thought. So grab some popcorn and keep those systems patched!


Original Submission

Patch for Intel Speculative Execution Vulnerability Could Reduce Performance by 5 to 35% [Update: 2] 103 comments

UPDATE 2: (martyb)

This still-developing story is full of twists and turns. It seems that Intel chips are definitely implicated (AFAICT anything post Pentium Pro). There have been various reports, and denials, that AMD and ARM are also affected. There are actually two vulnerabilities being addressed. Reports are that a local user can access arbitrary kernel memory and that, separately, a process in a VM can access contents of other virtual machines on a host system. These discoveries were embargoed for release until January 9th, but were pre-empted when The Register first leaked news of the issues.

At this time, manufacturers are scrambling to make statements on their products' susceptibility. Expect a slew of releases of urgent security fixes for a variety of OSs, as well as mandatory reboots of VMs on cloud services such as Azure and AWS. Implications are that there is going to be a performance hit on most systems, which may have cascading follow-on effects for performance-dependent activities like DB servers.

To get started, see the very readable and clearly-written article at Ars Technica: What’s behind the Intel design flaw forcing numerous patches?.

Google Security Blog: Today's CPU vulnerability: what you need to know.
Google Project Zero: Reading privileged memory with a side-channel, which goes into detail as to what problems are being addressed as well as including CVEs:

Don't Expect Intel Chip Recall After Spectre and Meltdown, CEO Says 48 comments

Submitted via IRC for Bytram

Hoping the Meltdown and Spectre security problems might mean Intel would be buying you a shiny new computer after a chip recall? Sorry, ain't gonna happen.

Intel famously paid hundreds of millions of dollars to recall its Pentium processors after the 1994 discovery of the "FDIV bug" that revealed rare but real calculation errors. Meltdown and Spectre are proving similarly damaging to Intel's brand, sending the company's stock down more than 5 percent.

[...] But Intel CEO Brian Krzanich said the new problems are much more easily fixed -- and indeed are already well on their way to being fixed, at least in the case of Intel-powered PCs and servers. Intel said Thursday that 90 percent of computers released in the last 5 years will have fixes available by the end of next week. "This is very very different from FDIV," Krzanich said, criticizing media coverage of Meltdown and Spectre as overblown. "This is not an issue that is not fixable... we're seeing now the first iterations of patches."

Source: Nope, no Intel chip recall after Spectre and Meltdown, CEO says


Original Submission

Data Centers Consider Intel's Rivals 14 comments

Amid the ongoing Meltdown fiasco, Intel has only one way to go in the data center... down. Intel may be forced to offer discounts or rebates to prevent customers from eventually moving to AMD x86 chips (such as Epyc) or even ARM chips:

Intel chips back 98% of data center operations, according to industry consultancy IDC. [...] Microsoft said on Tuesday the patches necessary to secure the threats could have a significant performance impact on servers.

[...] For Gleb Budman's company, San Mateo-based online storage firm Backblaze, building with ARM chips would not be difficult. "If ARM provides enough computing power at lower cost or lower power than x86, it would be a strong incentive for us to switch," said Budman. "If the fix for x86 results in a dramatically decreased level of performance, that might increasingly push in favor of switching to ARM."

Infinitely Virtual, a Los Angeles-based cloud computing vendor, is counting on Intel to replace equipment or offer a rebate to make up for the loss in computing power, Chief Executive Adam Stern said in an interview. "If Intel doesn't step up and do something to make this right then we're going to have to punish them in the marketplace by not purchasing their products," said Stern, whose company relies exclusively on Intel processors.

[...] Both Qualcomm and Cavium are developing ARM chips aimed at data centers. Cavium said it aimed to rival the performance of Intel chips for applications like databases and the content-delivery networks that help speed things like how fast online videos load.


Original Submission

Laptop and Phone Convergence at CES 17 comments

New laptops are drawing upon features/attributes associated with smartphones, such as LTE connectivity, ARM processors, (relatively) high battery life, and walled gardens:

This year's crop of CES laptops -- which we'll define broadly to include Windows-based two-in-one hybrids and slates -- even show signs of a sudden evolutionary leap. The long-predicted PC-phone convergence is happening, but rather than phones becoming more like computers, computers are becoming more like phones.

The most obvious way this is happening is the new breed of laptops that ditch the traditional Intel (and sometimes AMD) processors for new Snapdragon processors from Qualcomm. So far, we've seen three of these Snapdragon systems announced: the HP Envy x2, the Asus NoveGo and the Lenovo Miix 630.

Laptops with lower-end processors have been tried before, with limited success. Why is now potentially the right time? Because these systems aren't being pitched as bargain basement throwaways -- and in fact, they'll cost $600 and up, the same as many mainstream laptops in the US. Instead, they promise some very high-end features, including always-on LTE connectivity (like a phone) and 20-plus hours of battery life with weeks of standby time, which also sounds more like a phone than a PC. The tradeoff is that these Snapdragon laptops run Windows 10 S, a limited version of Windows 10, which only allows apps from the official Microsoft app store. That's also similar to the walled garden of mobile OS apps many phones embrace.

[...] There's another take on phone-laptop convergence happening here at CES. Razer, the PC and accessory maker, always brings one or two inventive prototypes to CES, such as last year's triple-screen Project Valerie laptop. The concept piece for CES 2018 is Project Linda, a 13-inch laptop shell, with a large cutout where the touchpad would normally be. You drop a Razer Phone in that slot, press a button, and the two pieces connect, with the laptop body acting as a high-end dock for the phone. The phone acts as a touchpad and also a second screen, and it works with the growing number of Android apps that have been specially formatted for larger laptop screens or computer monitors.


Original Submission

Display Options Threshold/Breakthrough

Reply to Article

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Insightful) by Apparition on Sunday January 07, @11:25PM (27 children)

    by Apparition (6835) Subscriber Badge on Sunday January 07, @11:25PM (#619325)

    In the short term, Meltdown and Spectre are PR disasters for Intel, AMD, ARM, Qualcomm, etc. However, in the long term, Spectre is a holiday gift for them all. The only real way to fix Spectre is via new hardware, which will see release in 2019 or 2020. That means new desktop computers for governments and businesses, and new notebook computers, smartphones, and tablets for everyone! Merry Christmas, Happy Hanukkah, and Happy New Year, Intel, AMD, ARM, Qualcomm, Apple, Samsung, Dell, Lenovo, etc.

    • (Score: 2, Interesting) by Anonymous Coward on Sunday January 07, @11:34PM (6 children)

      by Anonymous Coward on Sunday January 07, @11:34PM (#619327)

      This is just getting started. Some bright spark last year decided to start fuzzing CPU instructions. This is something the chip manufactures should have been doing. They better get on it ASAFP. Security and tech through obscurity does not work. When everyone learns this lesson yet again. We all get to pay for it. They are going to find more and more just like this for a long time.

      This means things like pretty much all new cars have it. Your routers have it. Your internet modems have it. That oh so clever internet connected thermostat will have it. So on and so on. This is going to be *ugly*.

      • (Score: -1, Offtopic) by Anonymous Coward on Monday January 08, @12:28AM (1 child)

        by Anonymous Coward on Monday January 08, @12:28AM (#619339)

        The Kind Rapist. A legend or reality? The answer to that is, as you may have guessed, unconfirmed. You decide.

        Rumor has it that there exists a rapist who is unbelievably kind to those he rapes. There are various stories that tell of his kindness. One story states that, after raping and murdering a 9 year old female child, he magnanimously threw a half-eaten lolly pop on the corpse. Another story states that he only beat and raped a woman who casually strolled past him a billion times for her heinous transgressions. Yet another story states that he always rapes with a gentle smile on his face. All of these stories have one obvious commonality, which is that they portray this individual as gentle and merciful, perhaps even as a saint.

        The story of The Kind Rapist is sure to live on for many generations. But is it just a story?

        • (Score: 0) by Anonymous Coward on Monday January 08, @03:41AM

          by Anonymous Coward on Monday January 08, @03:41AM (#619387)

          This individual has been repeatedly posting NOISE about body parts and sex with children and such.

          Yes, it is "Offtopic".
          If that is how you mod it, however, those posts won't get the attention they deserve from the site's staff and the serial abuser will continue to abuse the site.

          The correct mod for posts in this continuous stream of noise is SPAM.

          -- OriginalOwner_ [soylentnews.org]

      • (Score: 0) by Anonymous Coward on Monday January 08, @12:42AM (3 children)

        by Anonymous Coward on Monday January 08, @12:42AM (#619346)

        The notion that "security by obscurity doesn't work" doesn't mean what you think it means.

        It means that if you try to keep your mechanisms secret, you'll probably be compromised. This is because your particular, individual ideas are probably not that smart; it's much better to use mechanisms that have been vetted by very many intelligent people over a lengthy period of time, and which have already been proven under real-world attacks.

        The mechanisms of a lock, though public knowledge, are buried obscurely in a metal body.

        Your cryptographic key is a number that is so obscure, it's nearly impossible to guess.

        • (Score: 0) by Anonymous Coward on Monday January 08, @02:44AM (2 children)

          by Anonymous Coward on Monday January 08, @02:44AM (#619375)

          I would be money that if you asked a HW eng from intel a few years ago if it is possible they would have said 'nope too hard' 'is it doced?' 'nah doesnt matter its impossible'.

          It means exactly what I stated. You are being too narrow and pedantic.

          • (Score: 0) by Anonymous Coward on Monday January 08, @03:53AM

            by Anonymous Coward on Monday January 08, @03:53AM (#619393)

            It appears that you are asking if it is accompanied by a guide. [google.com]

            If I was going to shorten the word "documented", I would have done it thusly: doc'd.

            You are being too narrow and pedantic.

            Heh, and you thought -he- was.

            -- OriginalOwner_ [soylentnews.org]

          • (Score: 0) by Anonymous Coward on Monday January 08, @03:07PM

            by Anonymous Coward on Monday January 08, @03:07PM (#619518)

            Got it.

    • (Score: 4, Informative) by takyon on Sunday January 07, @11:41PM (5 children)

      by takyon (881) <takyonNO@SPAMsoylentnews.org> on Sunday January 07, @11:41PM (#619330) Journal

      You can get a laptop as thin as a smartphone!

      Acer just unveiled the thinnest laptop in the world [bgr.com]

      Meanwhile in Chromebook land:

      Acer launches a new Chromebook 11 with USB-C [theverge.com]

      I can tolerate 1366x768 resolution (for the moment), but 2 GB RAM needs to be eliminated as an option. The only good thing is that there are not any fewer full-sized USB ports to make way for the added USB Type-C ports. That's the way it should be.

      Call it a delayed holiday gift for the computer manufacturers. The things they are showing off at CES right now probably have the compromised chips in them, and there's a good chance most people won't notice slowdowns enough to even want to avoid the bug and upgrade in 2 years. In short, no change!

      AMD is still a winner in this situation because Spectre has no huge slowdowns associated with it and can be fixed with a firmware update AFAIK:

      AMD is big winner from chip flaw fiasco as more than $11 billion in Intel stock value is wiped out [cnbc.com]

      AMD shares are up 10.4 percent in the two days through Thursday following the report, while Intel's stock declined 5.2 percent in the period, wiping out $11.3 billion of shareholder value.

      [...] On the flip side, AMD said any performance hits will be "negligible" after Spectre-related security software updates and there is "near zero risk of exploitation." The company also confirmed it is not affected by Meltdown due to processor "architecture differences." Researchers and Apple said Spectre is more difficult to exploit.

      Multiple Wall Street analysts predicted AMD will take advantage of the Intel's security issues. AMD could use it as "a marketing edge given differing architectures and no vulnerability yet," Mizuho Securities analyst Vijay Rakesh wrote in a note to clients Wednesday.

      Intel's high-profit data-center business, which sells server chips to cloud computing providers and enterprises, is the chipmaker's crown jewel. Rakesh noted that Intel had 99 percent market share of the data-center market, representing a huge opportunity for AMD.

      If the hit seen on "synthetic benchmarks" translates to a similar/noticeable hit on I/O-heavy datacenter and HPC workloads, AMD has found its way in to actually push Threadripper and Epyc to customers who might not have given them the chance before. They are probably going to try to double the core count of Epyc in the next year or two. Zen was a good punch thrown at Intel, but Meltdown might lead to the knockout.

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
      • (Score: 3, Informative) by Apparition on Sunday January 07, @11:58PM (1 child)

        by Apparition (6835) Subscriber Badge on Sunday January 07, @11:58PM (#619334)

        AMD is still a winner in this situation because Spectre has no huge slowdowns associated with it and can be fixed with a firmware update AFAIK

        According to Matt Dillon of Amiga and DragonFlyBSD fame, Spectre can only be fixed by completely new hardware [dragonflybsd.org]. Not to say that he's completely correct, but he knows much more about hardware than I do.

        Also, none of the mitigations recommended so far completely protect against
        Spectre. I would argue, in fact, that the mitigations only amount to a
        small roadbump for attackers and will probably be defeated now that the
        attack vector is known.

        Nothing short of new hardware (not yet produced) will really make a dent in
        Spectre. That could be 6 months to a year away, depending on how big a
        fire is lit under the CPU vendors.

        [...]

        In otherwords, all of our options are bad. Spectre will not be mitigated
        in any real sense on any existing CPU. Until new CPUs start appearing down
        the line, 6 months or later from now, we are kind of all screwed. All of
        these mitigation's will probably be worked around by attackers in fairly
        short order.

        • (Score: 0) by Anonymous Coward on Monday January 08, @11:02PM

          by Anonymous Coward on Monday January 08, @11:02PM (#619760)

          Spectre still only affects out of order processors.

          Meaning that all the In-Order processors are unaffected by it.

          If you can stand the performance loss associated with in-order processors, then not only can you save a huge amount of real estate per core, but you also get chips with consistently reproducible behavior and well defined, even if buggy, logic.

          This might be an opportunity for some new upstart chip manufacturers to create an ecosystem based around openly documented in-order processors, with chipsets intercompatible between manufacturers as was the case through the clone years of the late 80s to the late 90s for PCs, or much of the 70s/early 80s for kit computers utilizing common busses. If this were to happen it would still cost us more than an equivalent AMD or Intel system, but given the tech advanced today, even something built on much older process technologies could be optimized for both reduced power usage compared to previous designs, as well as better performance per cycle. Avoiding the patent minefield would take some work, but if we crowdsourced that among techies and tech savvy legal nerds, we should be able to map out acceptable/unacceptable technology to a sufficient degree that we could have systems with plug and play support for RISC-V, J-Core, OpenSparc, OpenRisc, and other processors all running off the same motherboards, utilizing a management process similiar to the AMD/ARM/Intel management processors, only with the security key settable by the end user, possibly even using NVRAM of some form to make it effectively infinitely rewritable and simple to clear (which would lose a third party access to your encrypted data without a copy of the key) while allowing you to easily secure your hardware, clear it if the key becomes compromised or if you want to securely wipe it and offer it for a third party's use.

          Sounds like a win win if somebodies can pull it off.

      • (Score: 3, Informative) by arslan on Monday January 08, @05:22AM

        by arslan (3462) on Monday January 08, @05:22AM (#619421)

        Just to add more color to this, according to AMD, their chips are not susceptible to Meltdown and is only susceptible to 1 of the 2 variant of Spectre exploits. And as you said, they also claim that the fix to that causes negligible performance impact. I would think they'd be in a lot of trouble if they are publishing this information with the intention to misled given they're publicly listed, so I'd take their official statement over a "blogger" anytime until proven otherwise:

        Here's their official statement [amd.com].

        Here's GPZ's categorization of the variants [blogspot.com.au] and how it maps to the code name Meltdown and Spectre.

      • (Score: 0) by Anonymous Coward on Tuesday January 09, @07:03PM (1 child)

        by Anonymous Coward on Tuesday January 09, @07:03PM (#620150)

        screw EYPC and it's closed source backdoor, PSP

    • (Score: 3, Interesting) by Grishnakh on Monday January 08, @12:03AM (7 children)

      by Grishnakh (2831) on Monday January 08, @12:03AM (#619335)

      What I want to know is: are other CPU architectures vulnerable to something like this? x86-64 (and i586 before it, as this goes back to the PPro days) and ARM are vastly different architectures. But I wonder if SPARC or the old DEC Alpha were vulnerable to this kind of thing, or if they were simply better designed for memory security because they came from the "big iron" market where multi-process multi-user systems were the norm, unlike Intel which came from single-user DOS machines and ARM which came from the Acorn microcomputer company and was designed for embedded systems.

      • (Score: 2) by Grishnakh on Monday January 08, @12:16AM (1 child)

        by Grishnakh (2831) on Monday January 08, @12:16AM (#619337)

        Also, a more current architecture that I'm interested to know about is IBM's POWER chips. A bit of research found that POWER6 does not support out-of-order execution, but I don't know about 7-9.

        • (Score: 0) by Anonymous Coward on Monday January 08, @02:07AM

          by Anonymous Coward on Monday January 08, @02:07AM (#619361)

          Red Hat reports:

          These include IBM System Z, POWER8 (Big Endian and Little Endian), and POWER9 (Little Endian).

      • (Score: 5, Funny) by driverless on Monday January 08, @12:40AM (1 child)

        by driverless (4770) on Monday January 08, @12:40AM (#619345)

        What I want to know is: are other CPU architectures vulnerable to something like this?

        The 6502 isn't. That's why Cyberdyne used them in the T-800 Terminator.

        • (Score: 2) by dry on Monday January 08, @09:52PM

          by dry (223) on Monday January 08, @09:52PM (#619737)

          The 6502 had enough flaws (jsr when operand is on a page boundary) that you don't want to use it. Luckily there is the 65C02.

      • (Score: 0) by Anonymous Coward on Monday January 08, @02:52AM

        by Anonymous Coward on Monday January 08, @02:52AM (#619377)

        Pretty much any CPU that does speculative execution it is possible for this to happen. Basically if they are trying to retire more than 1 instruction per cycle. So yes if they do that they are candidates for these types of attacks. The older SPARC and Dec Alpha probably not. Even the old intel 486 does not have this issue as it has an in-order execution pipeline. Speculative execution really showed up after about 1995.

      • (Score: 0) by Anonymous Coward on Monday January 08, @04:42PM (1 child)

        by Anonymous Coward on Monday January 08, @04:42PM (#619566)

        SPARC wasn't. They had separate buffers for kernel and user space, so the privilege escalation wouldn't have been possible in the same way.

        • (Score: 2) by Grishnakh on Tuesday January 09, @12:39AM

          by Grishnakh (2831) on Tuesday January 09, @12:39AM (#619784)

          Ok, then it sounds like it's time to dust off the SPARC architecture and bring it back. I always liked those SPARCstations anyway, plus the keyboards were pretty nice, a lot better than the garbage we have now.

    • (Score: 3, Insightful) by frojack on Monday January 08, @12:49AM (5 children)

      by frojack (1554) Subscriber Badge on Monday January 08, @12:49AM (#619348) Journal

      However, in the long term, Spectre is a holiday gift for them all. The only real way to fix Spectre is via new hardware,

      Not sure this broken window exercise is going to be all that good for anyone in either the long or the short run.

      If they have to radically revamp processors, are they not just as likely to induce more errors in the process? Will we all end up spending a lot of money preventing a theoretical risk that we could ameliorate less expensively by simply turning off some of the features in these CPUs?

      (Especially in the case of battery powered machines, predictive execution is a huge waste of energy, - speculatively processing along each of several branches in the hopes of having a result ready before the desired branch is actually selected, means you substituted battery energy for a slight time saving).

      True, new designs, built from the ground up with security in mind might be somewhat improved (security wise) from the current designs. But with both government and industry looking for and demanding backdoors and built in exploits, we are just as likely to end up with more insecurities than fewer.

      These devices are the most complex thing mankind has ever built. To expect anything beyond a mere patching here and there is like expecting to rebuild New York City from the ground up to in the hopes of avoiding the pitfalls of cities. Not going to happen.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 3, Interesting) by takyon on Monday January 08, @01:26AM (1 child)

        by takyon (881) <takyonNO@SPAMsoylentnews.org> on Monday January 08, @01:26AM (#619351) Journal

        These devices are the most complex thing mankind has ever built.

        Someone can probably come up with a better example, like the Large Hadron Collider. But CPUs are really at the bleeding edge of manufacturing. It's nanotechnology, and subject to quantum effects. And yet we are stuck having them crippled one way or another with security bugs (possibly forgivable) or untrustworthy components (much worse).

        RISC-V is gaining traction: Western Digital to Transition Consumption of Over One Billion Cores Per Year to RISC-V [soylentnews.org]

        To expect anything beyond a mere patching here and there is like expecting to rebuild New York City from the ground up to in the hopes of avoiding the pitfalls of cities. Not going to happen.

        The patching seems to work in both cases. But you have to accept a possible slowdown in some scenarios if you patch for Meltdown.

        Are you trying to say that Intel will not remove or correct the features in upcoming generations of hardware? Such as Cannonlake, which may have had its release delayed [macrumors.com] to the end of 2018? That rumor-based story came after Meltdown was known to researchers and doesn't give a solid reason for the delay. Maybe the difficulty is due to redesigning the silicon to avert carrying Meltdown into a new generation rather than the usual lithography yield issues.

        If the patches addressing Spectre don't cause any perceptible slowdown, then maybe we will see Intel, AMD, ARM, etc. live with that bug lurking in new hardware for the next 2-3 years.

        --
        [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
        • (Score: 1, Informative) by Anonymous Coward on Monday January 08, @04:32AM

          by Anonymous Coward on Monday January 08, @04:32AM (#619405)

          this broken window exercise
          [...]
          new designs, built from the ground up with security in mind

          RISC-V

          There was an Ask The Green Site story [slashdot.org] the other day on the topic of an Open Hardware core in an effort to leave behind the proprietary vendors who won't even fuzz[1] their damned microcode.

          RISC-V was mentioned and seemed as good an answer as anything else suggested.

          Bruce Perens had the idea that, with a 100 percent flashable device, these sorts of problems could be reverted without buying any new hardware.
          ...and noted that devices have come a long way since the slow power-hungry things we think of in this context (FPGAs).

          [1] Mentioned by AC#619327 above.
          I'm shocked that I haven't seen this mentioned in every single story about these vulnerabilities.

          -- OriginalOwner_ [soylentnews.org]

      • (Score: 0) by Anonymous Coward on Monday January 08, @02:48AM (2 children)

        by Anonymous Coward on Monday January 08, @02:48AM (#619376)

        Not sure this broken window exercise is going to be all that good for anyone in either the long or the short run
        It is indeed the 'broken window fallacy' However, someone has already tossed a brick through the window.

        Remember in the story the glazier benefited from the broken window. I would say his anecdote is true in this case (INTC, QCOM, BCOM, APPL, etc being the glaziers). The rest of the economy however will suffer because of it, the actual lesson of the broken window fallacy.

        Remember the fallacy is people talking about stimulating the economy through the use of destruction. In this case however the destruction is a done deal.

        • (Score: 2) by frojack on Monday January 08, @04:34AM (1 child)

          by frojack (1554) Subscriber Badge on Monday January 08, @04:34AM (#619406) Journal

          Remember the fallacy is people talking about stimulating the economy through the use of destruction. In this case however the destruction is a done deal.

          In this case the Glaziers were installing windows with defective glass. They may well have known about it, and assumed nobody would trip to it. Or they may not have known about it. IDK.

          I just don't see this as something that is good for the users, or the manufacturers, as the GP suggested.

          --
          No, you are mistaken. I've always had this sig.
          • (Score: 0) by Anonymous Coward on Tuesday January 09, @01:48AM

            by Anonymous Coward on Tuesday January 09, @01:48AM (#619819)

            The version I heard the glaziers would benefit and some boy wanted to break the window. The effect is the same. Society as a whole is worse off while a small group benefit.

            The users not so much. But it is not like we are going to collectively stop using computers. We will want our computers fixed. The ones who make computers will be better off as we need their goods. We as users will be worse off because we are replacing something that used to work just fine.

            But at this point like I said it is a moot point. Someone has already chucked a brick through the window. So the supposition in the broken window fallacy is already in effect. The fallacy is thinking it is good for everyone not just a select few.

            Governments play this game all the time (usually with taxes and deductions). They choose winners and losers in our markets. Usually with the mistaken idea they can make some select few better.

  • (Score: 2) by bzipitidoo on Monday January 08, @04:57AM (2 children)

    by bzipitidoo (4388) on Monday January 08, @04:57AM (#619410) Journal

    Y2K, F00F, and FDIV were trivial next to Spectre and Meltdown. To think that while we were sweating over Y2K, this bug was quietly lurking. Went unnoticed for over 20 years, is in the hardware, and affects many different architectures-- is there any major architecture that isn't affected? Have to go all the way back to the Pentium to find an Intel CPU that isn't affected, and that far back, some have the FDIV and/or F00F bugs.

    How could this have not been noticed for 20 years? That part has me speculating that maybe, just maybe, it was a conspiracy! And maybe the 3 letter agencies wouldn't have allowed this to be publicized until they had another backdoor in place, like, oh... a Management Engine?

    • (Score: 0) by Anonymous Coward on Monday January 08, @08:55AM

      by Anonymous Coward on Monday January 08, @08:55AM (#619461)

      Nah, it's too fickle to be a deliberate plant by them, and you need some kind of local access to at most read kernel memory.

      The three letter agencies want system level access via some reliable means, such as the _NSAKEY found in Windows 2000.

    • (Score: 0) by Anonymous Coward on Monday January 08, @11:12PM

      by Anonymous Coward on Monday January 08, @11:12PM (#619767)

      SPARC, Power, and a few other architectures were definitely not affected due to different handling of cache for kernel/userspace.

      Furthermore unless I have heard wrong, it DOESN'T affect IN-ORDER variants of x86/x86_64 processors either, meaning that Intel Atom, via C3 and maybe C7, and some later chips should all have avoided the SPECTRE exploits as well.

      The biggest thing spectre proves is: Foreign code should NEVER be run on local hardware, as has been commonly known since the 80s or 90s at latest, but ignored for convenience and intellectual property protection purposes.

      So yeah...

(1)