Intel launches their new CPUs with Radeon RX Vega M Graphics along with two new 'NUC' mini-pc models

Ok ... i think while the tweet is good -> https://spectreattack.com/ this explains everything.
Also as far as i got it 2 flaws found are documented but they where talking about a 3rd which i didn't hear anything so far.
Last but not least, once you read this documents you will find that KTPI makes it harder to use meltdown as an attack but not impossible.

So a few thinks are on my mind:
- the highest actuall speed to read out the memory on meltdown is 500kb/s. Now calculate how long it would take to make a snapshot of your memory and how much this memory is changed during this progress. So even now i would say you need to much further improve this attack to be able to have a real usuable attack for attacking private pc's.
- For cloud and infrastructure this is a whole different story. If you attack them any information is valuable.

Also ... meltdown is mostly intel only but even on amd exists a attack which can use the architectual design of modern cpu's. So while not called meltdown there is something else.

So basically any modern cpu is probably affected and most cpu producers have already told they are affected by one or another attack. So conclusion -> out of order execution opens a whole bunch of attack vectors on modern cpu's. It's now time to work against it and once we see the different solutions we can decide who offers a good solution.

Quoting: scaineApart from someone trying to use Twitter to explain such a technical subject, I completely agree with you. BUT, while that design decision was made as long ago as 1995 when security was 99th on a list 100 priorities, this is 2018 now and Intel (and AMD and probably to a certain extent ARM) can only be described as wilfully negligent in overlooking this behaviour in the modern day.

As I said earlier, I suspect that Intel knew about this much earlier than June, probably for years and kept a lid on it. Their pushing KASLR so hard (for unrelated attacks, such as KRACKS and the whole Intel ME cock up) was probably done in the hope that a software remedy would be found and accepted early, so that they wouldn't have to acknowledge the extent, reach and scope of this hardware design flaw.

Again, you're assuming that Intel, AMD, and ARM knew about the risk/flaw before they were notified of it. I can tell you now that in most cases they don't know until someone notifies them. There are specific procedures for reporting bugs/flaws that lead to vulns/exploits. To the point where the MSSP I work for has explicity told me that the one thing I cannot do when contributing back upstream is open an issue/ticket on a public issue tracker if the issue is security related. It must be researched, evaluated, and sent to the project/organization/company directly until the risk of the issue is known and can be safely released to the public.

Are there other things Intel should have done related to how the PR was handled regarding the Meltdown and Spectre exploits - absolutely. But don't pretend to know all the ins and outs of how this works. I'm in the InfoSec field and even I don't know everything.

Maybe I am paranoid, but my theory is that Meltdown is not a design flaw, but a feature made by Intel for to do intel...
If you are an average Joe, I'm sure They will not spy You, but If You are a politician in a high position, You should be worried about this.

Quoting: HoriThis has been going for 10 years. 10 years and none of their skilled engineers noticed? I find it kinda hard to believe that. They either did not care enough about finding the problem, or they tried to hide it.

It's not like there's a huge open door (like Apple had some weeks ago with their root logins). People have invented an extremely clever way to expolit hardware features (and yes, I could hardly call them bugs). I'm a software developer myself and I had no idea how they would tunnel data from the predictive execution branch (which is not going to save any data were it can be read) through to legitimate code. This cache data tunneling is so sophisticated and I didn't even yet look how they manage to delay the memory exception...

Just to be clear here - Meltdown is a vulnerability that takes advantage of a bug in Intel's chips. Call it a "design flaw" if you're feeling kind, but it's a hardware bug. It's executing instructions from its buffer without checking that this is allowed. Speculative Execution is one thing, but not checking privileges before execution? Madness.

That's why AMD's latest chips don't suffer from the Meltdown flaw. Yes, they use Speculative Execution, but at least they have the good grace to check if they're allowed to execute those speculative commands before they do so.

Spectre is more widespread. It's also a Speculative Execution vulnerability but has nothing to do with checking privileges. But you have to have some kind of capability on the box first, before you can take advantage of Spectre - you have to have some way to influence the buffer cache.

But yeah, in summary - total bug.

And yes, I am assuming that Intel knew about this years ago. I'm assuming that based on the "conspiracy theory" I mentioned in my earlier comment. Might be true, no idea.

Quoting: orochi_kyo

Quoting: EagleDeltaI understand your feelings, but if that's how you feel, then you shouldn't use computers.

Such a long post to justify something that actually could be avoided if testing before releasing were done properly, then Intel jumping into new models and products while old stuff is still broken isnt good. Im pretty sure intel will keep pushing new stuff in order that people forget about this meltdown problem because they cant fix it, those models are just too deep broken.
"I understand your feelings" no you dont, and stop telling people to stop using something just because they expect quality and responsibility from manufacturers.

Tom Lendacky of AMD agrees with you.

I see posters here saying things like: It's an unforeseen bug or it could happen to anyone.
The bottom line is Intel played fast and loose with security just to squeeze some more
performance out of their chip design. Take a look at this quote from Tom.

QuoteThe AMD micro-architecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.

That implies Intel is allowing unprivileged processes to reference speculative data from
higher ring processes. That is by definition a very bad design choice.

To me, after I first hyped this package a lot, I'm not that impressed anymore. At first I thought it's gonna be a next-gen APU - finally it's just a GPU and CPU soldered on one chip - connected with PCIE. This means: If you got a notebook, there's almost no difference to dedicaded GPU options.

For mITX computers it's indeed different: There's no "dedicaded option" that's soldered on the Mainboard - a dedicaded GPU will always take space and create a lot of extra heat. In this specific use case it can make sense. The only downside: It will be hard / impossible to upgrade this combo as far as next-gen "APUs" won't fit most likely.

Quoting: scaineJust to be clear here - Meltdown is a vulnerability that takes advantage of a bug in Intel's chips. Call it a "design flaw" if you're feeling kind, but it's a hardware bug.

However, this is a case where the semantics of "Design flaw" vs "Bug" is important. A "Bug" implies the core issue can be fix though some sort of code update (be that firmware or software). The fact that it is a design flaw means that Intel cannot fix the issue now without stopping all business, which would probably cause a loss of sales too high to continue. What they did (outside of PR) is the best thing they could've done in the circumstances: Notify Software vendors and help with patches that mitigate or block the design flaw, followed by steps to designing new chips to not have that flaw..... the key problem with that is this: Designing, building, coding and releasing new CPUs is a multi-year process and we won't see a CPU from Intel for some time that no longer has that flaw.

Quoting: scaineAnd yes, I am assuming that Intel knew about this years ago. I'm assuming that based on the "conspiracy theory" I mentioned in my earlier comment. Might be true, no idea.

I can't (and won't) argue with this. All I can say is that I require hard facts before I will make this assumption, right now all we have is circumstantial evidence and bad PR, neither of which would hold up in court (I still stand by the mantra of "Innocent until proven guilty in a court of law" ).


Last edited by EagleDelta on 10 January 2018 at 5:02 pm UTC

All I'll say in response is that you're waaaaay more tolerant of ineptitude than I am. I just upgraded my PC last year, so I'm furious that it'll be another couple of years before I feel justified buying a new motherboard/CPU to work around this particular cock up. Furious.

Needless to say, I doubt that that replacement combo will be of Intel design...