Dear Intel, If a Glaring Exploit Affects Intel CPUs and Not AMD, It's a Flaw

[R-T-B]

@nem..
So, AMD is only affected by Spectre1 and even that ONLY under Linux. Windows is not even affected.
Any info if AMD's software fix for Spectre1 also degrades performance in any significant way?

I'd be highly distrustful of that chart.

Of course, I've been wrong before today, but that chart doesn't make much sense at all to me.

The good news? Chart or no chart, specter in general does not appear to have a performance impact because it can't really be fixed. It also makes 0 difference outside of datacenters (minus maybe maybe maybe another avenue for malware if you are careless). So yeah.

 

[RejZoR]

Time to go RyZen 2 my man, or Threadripper 2. Your choice, 5820K may need to rest.

That may in fact happen. It may not affect me as insignificant consumer, but since I'm security conscious, it's very likely that I will change platform. Considering how widespread Intel CPU's are (huge market share) and how security flaw can't even be fixed, it's very high probability that someone will try to exploit this on a huge scale which would affect even home users. And I'm not gonna take chances...

@R-T-B
Well, I know from AV side that a lot of tools and protection features use virtualization for malware analysis or protection itself. If malware in such environment can still access the rest, that's a huge issue. Of course, I'm not gonna rush selling my system straight away, but I'll keep an eye on the situation. I never made big of a deal of Intel flaws that were fixable with firmware or OS microcode. But this one is a big one. And the fact that Intel was trying to cover it up, sell stocks in the meanwhile and god knows what else you kinda lose trust in such company. I know money is money and every company goes into damage control, but still...

 

[R0H1T]

That may in fact happen. It may not affect me as insignificant consumer, but since I'm security conscious, it's very likely that I will change platform. Considering how widespread Intel CPU's are (huge market share) and how security flaw can't even be fixed, it's very high probability that someone will try to exploit this on a huge scale which would affect even home users. And I'm not gonna take chances...

@R-T-B
Well, I know from AV side that a lot of tools and protection features use virtualization for malware analysis or protection itself. If malware in such environment can still access the rest, that's a huge issue. Of course, I'm not gonna rush selling my system straight away, but I'll keep an eye on the situation. I never made big of a deal of Intel flaws that were fixable with firmware or OS microcode. But this one is a big one. And the fact that Intel was trying to cover it up, sell stocks in the meanwhile and god knows what else you kinda lose trust in such company. I know money is money and every company goes into damage control, but still...

Tbh that isn't just Intel, I remember Union carbide fleeing India after the Bhopal Gas leak & then paying next to nothing as compensation. I know it's unwise to compare tragedies but BP paid what 20+ billion dollars for an oil spill, these guys paid less than a tenth for 1000x loss of lives! Corporations just don't care for you, that's why I take don't offense when they get penalized, not often enough though.

As for the bug itself, it was revealed ~3 quarters back so yes everyone has a right to blame Intel.

 

[londiste]

The point is that AMD processors are apparently not vulnerable to Meltdown and the performance hitting PITA patch is for Meltdown not Spectre, so the conspiracy theory is still there; Why the initial PITA patch flags all X86 machines instead of intel only?

This is simply security best practises. In case of any doubt, mitigation will be applied.
Details for this crap became public 2 days ago. While researchers and patch authors definitely knew, not everyone in the decisions chain did.

 

[john_]

This security bug proves that AMD processors are incompatible with Intel processors, as many Intel fans where saying for years.

 

[7dan]

Here's the official update from AMD.

http://www.amd.com/en/corporate/speculative-execution

 

[Parn]

Some ARM processors are also vulnerable to Meltdown
Source:https://developer.arm.com/support/security-update

Looks like most high performance ARM Cortex CPUs are affected too. Maybe I should stick to a low/mid tier phone with the A53 cores. Phones nowadays store so many sensitive information that a breach would be very costly. It is also much more difficult to prevent malware/malicious links on smartphones because of all those links shared by friends/families through many different social chat apps.

As for my next desktop/home server build, I'll be going for Ryzen 2 for sure. Even though it is very unlikely this bug would cause any real damage to a PC locally assuming the user has some basic computer knowledges and is vigilant, with the kind of attitude Intel has expressed towards the issue why should I keep supporting their products? I was a long time AMD user from the original K7 up until Phenom II. I only switched over to the dark side (Lynnfield i7) because of the huge disappointment of bulldozer. Now it's time to switch back.

 

[champsilva]

According to Google, Intel, AMD and ARM has flaws

These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

 

[londiste]

Two different flaws, Meltdown and Spectre.
https://spectreattack.com/

Interesting that some ARM variants seem to be vulnerable to Meltdown as admitted by ARM themselves. Researchers did leave ARM and AMD vulnerability a bit of an open question in the paper.
Spectre seems to be the more critical one though as mitigation is much more complex.

 

[noext]

Time to go RyZen 2 my man, or Threadripper 2. Your choice, 5820K may need to rest.

well unless ryzen 2 , go for 4.5ghz+ , my 5820k has a long life ahead of him

 

[EarthDog]

Lol, another article and subsequent thread with the same links that were dropped yesterday. What a cluster...

Is this an editorial???

 

[Tsukiyomi91]

one word: damn....

 

[Steevo]

Intel CEO knew about this when he sold his stock. Intel is about to get a huge fine, also should be a good time to buy Intel stock after the bloodbath.

 

[R-T-B]

Is this an editorial???

It should be marked as one given it's writing style, but it isn't.

PS: Btarunr, you know I love you and the whole TPU group like family, so remember this is constructive criticism when I say:

Mark yo' shit.

 

[dozenfury]

These bugs raise all kinds of concerns at the datacenter level, but from a user standpoint my main worry would be any cloud stored backups/data that could be at risk. Those are on cloud VM's on the backend one way or another and mostly through AWS or Azure even if it's through a third-party service that uses them. Another good reason if you are using desktop backup services like Dropbox, OneDrive, etc. to encrypt it before sending. There are plenty of free and paid apps out there that will take care of that like Boxcryptor.

 

[R0H1T]

The nature of the attack (meltdown) makes it nearly impossible to trace it back to a source!
I really wonder now if this wasn't used by any number of nefarious elements, NSA or criminals, in the past?

 

[Steevo]

The nature of the attack (meltdown) makes it nearly impossible to trace it back to a source!
I really wonder now if this wasn't used by any number of nefarious elements, NSA or criminals, in the past?

Perhaps it was and has been a design "feature" and was just exposed by people.

 

[R0H1T]

Perhaps it was and has been a design "feature" and was just exposed by people.

It's possible & we won't ever know for certain, kinda like the Kennedy assassination or is that too much tinfoil?

 

[64K]

At work right now so I can't access most game sites but the one I could ran before and after benches on some games and of the 6 games tested it looks like only Assassin's Creed: Origins is affected much but that's probably because Ubisoft loaded it up with DRM. Not only Denuvo but VMProtect too.





http://www.dsogaming.com/news/windo...triple-a-games-tested-in-cpu-bound-scenarios/

 

[R0H1T]

There's a big drop in AC, though not sure why some games were tested at 1080p & others at 720p? A lot of storage reviews will also need to be updated afterwards, would be interesting if NVMe drives take a major hit looking at those initial phoronix benchmarks.

 

[64K]

There's a big drop in AC, though not sure why some games were tested at 1080p & others at 720p? A lot of storage reviews will also need to be updated afterwards, would be interesting if NVMe drives take a major hit looking at those initial phoronix benchmarks.

I don't know why the different resolutions but usually this guy when testing the CPU benches at 720p with his 980 Ti to try to eliminate the GPU as much of a factor.

Not sure why there's a huge space after my post either. That wasn't there when I was posting and I can't delete it.

 

[bencrutz]

Uh, Spectre is the one without the fix, and it too affects all OSes (and linux, under default kernel settings)... It's by nature a hardware issue.

Who the heck made that chart? He doesn't know anything. I think both spectre 1 and 2 affect pretty much all known speculative execution processors atm. Maybe I'm mistaken here, but this article I read from a decently respectable publication suggests otherwise:

Read:

https://arstechnica.com/gadgets/201...odern-processor-has-unfixable-security-flaws/

In the meantime, let me help you fanboy:

Intel has spectre too!!!1!! AMD does NOT have MELTDOWN!

according to THIS: spectre (variant 1) can be done on AMD with eBPF JIT on (non-default state), it can't be done with eBPF JIT off (the default state), on the other hand, on intel CPU, variant 1 can be done on the PoC regardless the state of eBPF JIT, hence on AMD it is software fixable by simply forcing the eBPF JIT off.

 

[R0H1T]

according to THIS: spectre (variant 1) can be done on AMD with eBPF JIT on (non-default state), it can't be done with eBPF JIT off (the default state), on the other hand, on intel CPU, variant 1 can be done on the PoC regardless the state of eBPF JIT, hence on AMD it is software fixable by simply forcing the eBPF JIT off.

Compared to meltdown, spectre is relatively harmless but there are 4 exploits demonstrated for these 2 flaws. There is a non zero possibility that there may be more variations of such attacks. There's a lot of man hours needed to get to the bottom of it, interestingly Google Zero could still be working on them.

 

[R-T-B]

according to THIS: spectre (variant 1) can be done on AMD with eBPF JIT on (non-default state), it can't be done with eBPF JIT off (the default state), on the other hand, on intel CPU, variant 1 can be done on the PoC regardless the state of eBPF JIT, hence on AMD it is software fixable by simply forcing the eBPF JIT off.

Yeah, I backed off that comment a bit later in another thread (we have way too many).

I was confused because there is more than one spectre type.

 

[lilunxm12]

This is simply security best practises. In case of any doubt, mitigation will be applied.
Details for this crap became public 2 days ago. While researchers and patch authors definitely knew, not everyone in the decisions chain did.

I'm not familiar with industry but in my opinion fixing such a critical vulnerability all people in decision chain should have good understanding of how it works. And in fact Linus as head developer isn't happy with that patch either.

.. and that really means that all these mitigation patches should be written with "not all CPU's are crap" in mind.