Intel chipsets have another security issue, this time it's 'unfixable'

How empiric are these reports?
How do I know this is not just negative paid publicity?

By the fact that intel themselves have acknowledged it:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00213.html

I don't really like Intel, but this doesn't really worry me. I mean,

they would need some sort of physical and local access

Why are we even expecting any kind of compute-y thing to be secure when someone has physical and local access? That was never a thing when I was young, and I'm fairly convinced that if we think it's a thing now it's mainly wishful thinking.

I don't really like Intel, but this doesn't really worry me. I mean,

they would need some sort of physical and local access

Why are we even expecting any kind of compute-y thing to be secure when someone has physical and local access? That was never a thing when I was young, and I'm fairly convinced that if we think it's a thing now it's mainly wishful thinking.

The question of security against local access is the very reason for things like disk encryption and especially important for mobile devices like notebooks.

Because their CPUs are so much better right now and because their GPUs have the best open source support right now and just caught up with Nvidia's cards regarding energy efficiency, my next rig is gonna be full AMD.

I don't really like Intel, but this doesn't really worry me. I mean,

they would need some sort of physical and local access

Why are we even expecting any kind of compute-y thing to be secure when someone has physical and local access? That was never a thing when I was young, and I'm fairly convinced that if we think it's a thing now it's mainly wishful thinking.

Local and physical access tends to decrease the effectiveness of and defeat many security measures. For that matter, if someone has physical access to your machine, they could simply walk off with it and crack it at their leisure.

"I'm not worried about X cybersecurity threat because I'm nobody important..."

If it's a threat that really requires physical access to exploit, you should be reasonably fine... until you loose a laptop or smartphone and can't remotely ask it to nuke all your personal files like photos, banking, memorized passwords, etc...

If it can be remotely exploited, it just doesn't matter who you are and what you do for a living... there is professional malware floating around that can systematically test every door on every machine on the internet and is automated to exploit known flaws in mostly anyone's machine... at best your computer will just help them attack some other target... at worse you get some WannaCry ransomware, for which anyone is a target, or false banking website to steal access to your money, etc.

The ods that you get hit like this are not too high, and the more exotic exploits are not always in a malware's arsenal... but it's a real issue we shouldn't dismiss lightly.

Finally, if it's a "local" access threat it means someone on the same LAN can hack you... it shouldn't be too bad, except routers are almost all untrustworthy craps. Mirai and other botnets eat them for breakfast... so basically this means barely the same as remotely exploitable.


ps: i'm currently using AMD Phenom II x4, will definitely try AMD Ryzen in the future!

AMD isn't perfectly secure. It's more secure. If there are fewer researchers for the platform because of obscurity, then there's going to be fewer people knowing about the exploit. That said, AMD should release the source for the PSP.

if you want more security than AMD, use something like RISC V, or Power. Sure finding binary blobs that work for them would be difficult, but in my view, you shouldn't be running software that you didn't personally compile on a compiler of your choosing if you are concerned with security to this level.

I don't really like Intel, but this doesn't really worry me. I mean,

they would need some sort of physical and local access

Why are we even expecting any kind of compute-y thing to be secure when someone has physical and local access? That was never a thing when I was young, and I'm fairly convinced that if we think it's a thing now it's mainly wishful thinking.

Think servers, when you use a resource remotely on a server (e.g a HTTP request to a web server, or a SMTP request to a mail server and so forth) you have a form of local access to that server (and if the software have some form of vulnerability as well then you definitely have local access, even if that application is securely sandboxed).

And if you are in a big server room then you have physical access to those servers without necessarily have the kind of physical access that you would have if you stole a laptop from someone.

So these recent vulnerabilities are not so much of a desktop problem as they are a server problem, just like many of the other recent Spectre variants.

I don't really like Intel, but this doesn't really worry me. I mean,

they would need some sort of physical and local access

Why are we even expecting any kind of compute-y thing to be secure when someone has physical and local access? That was never a thing when I was young, and I'm fairly convinced that if we think it's a thing now it's mainly wishful thinking.

Think servers, when you use a resource remotely on a server (e.g a HTTP request to a web server, or a SMTP request to a mail server and so forth) you have a form of local access to that server (and if the software have some form of vulnerability as well then you definitely have local access, even if that application is securely sandboxed).

And if you are in a big server room then you have physical access to those servers without necessarily have the kind of physical access that you would have if you stole a laptop from someone.

So these recent vulnerabilities are not so much of a desktop problem as they are a server problem, just like many of the other recent Spectre variants.

Not to mention the virtual computing one can rent over at Amazon, Microsoft, Google and the like. I imagine those sort of systems make heavy use of local security features.

I do have an Intel CPU now, but when the time to upgrade comes I'll buy the one CPU that gives me the best single-core performance, what brand doesn't matter, I don't have an allegiance with either of them.
I know we're seeing more and more games taking advantages of multiple cores, but for the moment the single-core perf is what I look for.

As your post has been up-voted as well, I'm intrigued why single-core performance is the major sell point for you?

I know for certain that game studios are improving their engines to take advantage of the increasing number of cores in today's CPUs. Of course they won't release games that needs 16+ cores since no current consoles have it, and even in the PC world, players with this kind of CPUs have a very small market share (less than 0.1% ). But 4 cores is now the norm (50%) and 6 cores is not far (21%), while 8 and 12 cores are already slowly increasing.

Considering several points:
* Intel still has a high market share (79%)
* Intel CPUs have low core count
* AMD CPUs have high core count
* AMD is starting to increase its market share
* Intel will clearly try to compete with AMD with high core CPUs (when they'll figure out 7nm)
* And finally, we can put so much transistors in just one core, thus the increase of the core count we see

I would say future is more multi-core than single-core. Maybe I'm projecting too far though :D


Last edited by Creak on 7 March 2020 at 4:47 pm UTC

Local and physical access tends to decrease the effectiveness of and defeat many security measures. For that matter, if someone has physical access to your machine, they could simply walk off with it and crack it at their leisure.

If you got decent encryption, not within billion years with the whole energy of the sun.


Last edited by Eike on 7 March 2020 at 4:56 pm UTC

As your post has been up-voted as well, I'm intrigued why single-core performance is the major sell point for you?

According to measurements with actual games, single core performance is very important. My guess is that there's a main game logic process which runs on a single core and needs quite some power. Other threads are used, too, so you do need enough cores as well. This was especially pointed out for the Ryzen 2000 generation which lost on real games performance against Intel.

As your post has been up-voted as well, I'm intrigued why single-core performance is the major sell point for you?

According to measurements with actual games, single core performance is very important. My guess is that there's a main game logic process which runs on a single core and needs quite some power. Other threads are used, too, so you do need enough cores as well. This was especially pointed out for the Ryzen 2000 generation which lost on real games performance against Intel.

I understand that and you're completely correct, but if you buy a CPU now, I'd say it is for a few years. By the time, these benchmarks will probably change (because of the reasons I listed).

But if you plan to change your CPU every year, I agree this would be the best choice..

Local and physical access tends to decrease the effectiveness of and defeat many security measures. For that matter, if someone has physical access to your machine, they could simply walk off with it and crack it at their leisure.

If you got decent encryption, not within billion years with the whole energy of the sun.

Yesyes, encryption works. And if what someone is trying to do is access your data, that's fine. Won't stop ransomware though, they can just encrypt your encrypted data. Or hijacking your machine to help a botnet or whatever. If someone's got physical access, they can do pretty much anything except access encrypted data, and I still don't see how a chip having security features is gonna stop them.

(For that matter, cracking encrypted data they might not be able to do in a few days or even in a practical length of time, but it won't take any billion years; they just wait 10-20 years for quantum computing to mature a bit)

Let it sink

I understand that and you're completely correct, but if you buy a CPU now, I'd say it is for a few years. By the time, these benchmarks will probably change (because of the reasons I listed).

But if you plan to change your CPU every year, I agree this would be the best choice..

I'm not sure people will get rid of a hungry main process. But fortunately, with Ryzen 3000, the question should be mood. (Is that correct? The question is not important anymore.) It's got the same single speed performance and more cores for the money.

I understand that and you're completely correct, but if you buy a CPU now, I'd say it is for a few years. By the time, these benchmarks will probably change (because of the reasons I listed).

But if you plan to change your CPU every year, I agree this would be the best choice..

I'm not sure people will get rid of a hungry main process. But fortunately, with Ryzen 3000, the question should be mood. (Is that correct? The question is not important anymore.)

You're very close. "moot"

I've been eyeballing AMD CPUs for a while now, being sick and tired of Intel's crap. It sucks that the AMD CPUs also have issues, but at least they're fewer. What can I do? Spend a fortune on a RISC-V PC? Unlikely. I'd rather move my sensitive computing to a Raspberry Pi 4. :P

I'm not sure people will get rid of a hungry main process. But fortunately, with Ryzen 3000, the question should be mood. (Is that correct? The question is not important anymore.)

You're very close. "moot"

So close and yet so far... :D

Thanks!

Local and physical access tends to decrease the effectiveness of and defeat many security measures. For that matter, if someone has physical access to your machine, they could simply walk off with it and crack it at their leisure.

If you got decent encryption, not within billion years with the whole energy of the sun.

Yesyes, encryption works. And if what someone is trying to do is access your data, that's fine. Won't stop ransomware though, they can just encrypt your encrypted data. Or hijacking your machine to help a botnet or whatever. If someone's got physical access, they can do pretty much anything except access encrypted data, and I still don't see how a chip having security features is gonna stop them.

(For that matter, cracking encrypted data they might not be able to do in a few days or even in a practical length of time, but it won't take any billion years; they just wait 10-20 years for quantum computing to mature a bit)

quantum computing will just scale down the timeframe from many many billions of years to (many many billions of years) / 2.

Where quantum computing will wreck absolute havoc is in asymmetric encryption which is not used to encrypt data (for 99.99999% of it's application) but to exchange encryption keys or used to sign data by encrypting cryptographic hashes.

edit: just wanted to point out that I wrote the wrong timeframe change above, it's not the time component that is halved, it's the number of bits. So a 256 bit symmetric algorithm today will in a fully quantum world be equivalent to a 128 bit symmetric algorithm.

We are still talking about billions and billions of years, and in fact the "not with the whole energy of the sun" that Eike first wrote is actually a quote taken from Bruce Schneier's first book where he talks about the energy requirements to brute force a 128 bit symmetric key so what Eike wrote still holds true even in a quantum world (the energy requirement to brute force a 256 bit symmetric key today would be equivalent of 2^128 suns).

It's also worth noting that this energy requirement is also based on a implausible future where the energy requirement to fully decrypt one step of an algorithm would be just the movement of a single electron one energy level. Today (and still tomorrow with quantum) such an operation will take billions of such movements.


Last edited by F.Ultra on 10 March 2020 at 3:31 pm UTC