Meltdown And Spectre

Oh, I quite agree, good browsing habits are a vital skill . . . but that is a totally different issue and beyond the scope of what I was replying to. In a prior post an OP asked if anyone had a preference of which Anti-Virus program to use (AV or Avast). I posted my preference and some other security programs I have used to good effect.

I've found most people that find their way here tend to have learned a least a bit about safe browsing. Anyone can taken out by a net nasty, even if they are practicing what they have learned to be safe surfing habits. You can also get a virus by opening an e-mail attachment from someone you trust, who themselves may not be as computer savvy as you are and have been hacked. Vectors of infection are legion and change every minute of every day. Any layer of defense is added insurance.

 

Anyone have any details on specifically why this is being classified a hardware design flaw issue? My impression is that any hardware can be repurposed (reconfigured) with firmware changes, meaning that any "design flaw" could be remedied that way.

Not to attempt to stir a bees nest honestly, but I am really pretty concerned over Intel's response to this. Just seems like they and Microsoft have decided to tell customers that their current computers are flawed and leave it there. Sure that helps their bottom line, if users have to scurry to buy a new computer. But can Intel dodge criticism from users considering this fact when they buy next? What can they say...well, AMD was affected too? Wow, there was a time when this would have been a HUGE front page lawsuit. Users don't really have a choice if they are upset about Intel divorcing itself from the problem with an update from Microsoft and no promises. I don't like what I'm seeing right now. What if this is purely a Microsoft issue, and Intel is just cowing down to the beast hoping this will go away? Do we know it's not this? Way too much happening in the dark here and too many computing catch phrases being thrown around too.

I have read a fair amount about this issue by the way. This is not like anything we have seen before. Also, I have studied deeply the architecture of Windows. Please understand, I know where we are in that Windows is an OS that has evolved...not been recreated over and over from scratch. However, the process of evolution has created a zombie monster. This OS is not designed with securability in mind. It just simply is not...simple. Of course, I am questioning the creators at this point. Instead of a securable computer running Windows, I have Microsoft's zombie data collection tool. Seriously, I can't help but wonder if Microsoft is sensing that a fix for this issue would mean completely revamping the core of Windows in order to support the full performance potential of a personal computer, while still delivering a securable platform. Intel, on the other hand, says this is the fastest design, so write for it. I really believe this is at the heart of this issue. Not to take Intel off the hook, but I'm not sure there is anything wrong with the processor after looking this over thoroughly.

I'm not at all buying what has been said so far...at least I'm not buying it yet. We talk constantly about what we can't know and excuse these companies from scrutiny for their choices by assuming that "the system" will surely explain this if MS and Intel are off somehow. Yet, never has Microsoft Windows been subjected to a full independent audit. What does this say about "the system"? Neither is hardware put to the test for indiscretions that may lie within, true, but without an audit of Windows by ethically above reproach and extraordinary programmers, how will we know if we are getting the best possible?

We have no guarantees and no sense of a secure life...with computers to blame. Worst, I really feel nagged that there is a perfectly obvious solution to this issue that doesn't involve a single fraction of a percentage of lost processor output. I wish I didn't feel this way, but something isn't adding up to me at this point in time. For me, the magic in computing is gone at this point sadly. I don't trust Microsoft or Intel.

 

As I said in post 45*, I agree that Intel should be able to come up with firmware update - only thing is , like Bios updates, these can prove a problem with those without any geeking ability's, or, newbies.

 

@AtlBo, excellent post #52!

 

Yes. It's a design flaw.
Unlike car-makers which would have issued a recall, Intel won't do that because too many CPUs have this vulnerability, and it's not exactly life threatening. And this also effects AMD and ARM processors.

I'm surprised the conspiracy theorists haven't crawled out of the woodwork...

 

99% of all CPUs are affected. Intel, AMD and ARM. This includes the CPUs in ATMs (and other control computers), web servers, severs of companies, tablets, smartphones, ... etc. The issue was detected in June 2017 during the work on a patch for the Linux kernel. So no, not only Windows is affected. Meltdown & spectre enable unseen access to any memory range. Attackers can spy passwords and other sensible data. Why I'm still relaxed? Because patches will come and private people are not of much interest for atackers as long as there are targets that arouse more curiosity.
The issue can be patched (to the disadvantage of performance losses) but not fixed. If you buy new devices then these will still have the same issues. I'm afraid we have to wait for new processor generations.

 

The last line in LauraR link says it all for me---

I’m not planning to throw out my PC… but I am starting to wonder if online banking is really such a good idea

---
Never done it and never will!!

 

I tend to keep a device for a long while after it is considered "outdated" as long as it keeps doing what I need it to do. For instance I have a Core2Quad CPU running a file server in my home. It's Linux based, and I'm going to look into what I should do about securing it . . . but truth be told I'm not all that worried about it. Like GermanOne has stated, home users aren't a juicy enough target to warrant the effort required for an attacker to take advantage of the flaw.

 

Home users are the juiciest targets because they are easy......Companies with data to protect go to great lengths to do so which makes things more difficult.
To me, its more about ease of access, thus utilizing good business productivity and efficiency.
These types of vulnerabilities represent huge coin, and the bad guys run it like any business!

Yes, we only sit at home, but we all have identities that are valuable, we utilize internet banking, we have paypal accounts, we purchase online from Amazon with credit cards, hell....we may even own a Bitcoin wallet.
Don't underestimate your importance!

Having said that, Its a flaw that involves architecture or rather, the pathway a CPU uses to process commands.....its not the actual physical parts make up of the CPU, so therefore I believe it will be solved utilizing CPU microcode which will become available in firmware (BIOS) updates, but that's just MHO.
I suspect Intel & MS know this.

Its not the materials used in the construction of the roof, it was the bad angle of pitch, and the faulty foundation footings which caused it to collapse!

 

The real 'Nightmare on Elm Street' for the big boys (large companies) are remote users working from home, with remote access to the companies servers back at the office. If your vulnerable, so are they.
This opens up a whole new spiderweb wouldn't you agree?

 

О чем они думали?

 

For what it's worth - here is a quick performance test of my 840 Evo SSD, before and after the Meltdown patch. Looks like to get a better metric I'd need an average of several tests with and without, I guess . . . and with various tools.

 

For those interested in a technical overview of Meltdown, read this.
https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)#Overview

It all comes down to Speculative Execution.
https://en.wikipedia.org/wiki/Speculative_execution

 

And here come the lawsuits...
https://wccftech.com/amd-class-action-law-suits-for-spectre-vulnerabilities-intel-four-meltdown/

 

Well, I finally caught a (bit) of a break. I restored my test computer to a state before I applied the Microsoft 2018-01 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4056894) - which patches the Meltdown issue.

I updated all the software I use; Anti Virus, Anti-malware, etc., and installed any prior Microsoft updates. I then ran Realbench V2.56 on the computer to get a baseline, and then again after the update was applied.

Computer Specs:

CPU:Intel Core i5 2400
RAM:665.1 MHz - 16GB
MB Q77MK - Desktop
OS:Windows 7 Professional
GPU1:Radeon (TM) RX 480 Graphics

Test Results:

Before

Image Editing: 115619 Time: 46.0821

Encoding: 28250 Time: 188.596

OpenCL: 71955 KSamples/sec: 13246

Heavy Multitasking: 38792 Time: 196.738

System Score: 63654

----------------------------

After

Image Editing: 103394 Time: 51.531

Encoding: 29294 Time: 181.879

OpenCL: 79950 KSamples/sec: 14723

Heavy Multitasking: 34756 Time: 219.586

System Score: 61848

----------------------------

Overall system score was lower after the patch, but not enough to be of concern in my opinion . . . at least for what I need my PC to do. When I have a chance I'll run the same tests on another PC with lesser specs and see if the overall hit is about the same. Not really scientific . . . but tells me what I need to know.

 

Since January patches are a minefield (I haven't done any yet), I'm going to image in the next day or two then try one update at a time. I don't need any BSOD nor looping booting problems!

 

Intel puts its products up for hacking!

https://www.bleepingcomputer.com/ne...to-save-face-with-250-000-bug-bounty-program/