SUBSIM Radio Room Forums



SUBSIM: The Web's #1 resource for all submarine & naval simulations since 1997

Go Back   SUBSIM Radio Room Forums > General > General Topics > PC Hardware/Software forum
Forget password? Reset here

Reply
 
Thread Tools Display Modes
Old 05-03-18, 05:11 PM   #1
Skybird
Soaring
 
Skybird's Avatar
 
Join Date: Sep 2001
Location: the mental asylum named Germany
Posts: 40,336
Downloads: 9
Uploads: 0


Default Spectre Next Generation has arrived - and its worse than last time

https://borncity.com/win/2018/05/03/...in-intel-cpus/

I read in German about it yesterday, here now is the first English translation.

At least 8 new vulnerabilities of Intel CPUs have been found by German magazine "C'T". They are kept secret in explanations about their design, so that they win some time to catch up with them, but it is said these new vulnerabilities are more dangeorus than the last ones, since they do no longer need special, hard-to-obtain and hard-to-carry-out special knowledge to make use of them. The risk to private users may be a bit smaller than for server service operators, cloud providers and others.

The CPUs by Intel are not described as having some holes, but to be "holey like Swiss cheese".

I'm so lucky that I use my Intel gaming machine on W10 only for games, and nothing else. Bought in in Nove,mbre, but wiht the revelatiosn of the past 4 months I would never buy Intel again anymore, not for the next couple of years. Too expensive for the risk-package stuff you get. If I would have waited just 6 weeks longer back then...

The German article that dropped the bomb yesterday: https://www.heise.de/ct/artikel/Supe...g-4039134.html
__________________
If you feel nuts, consult an expert.

Last edited by Skybird; 05-03-18 at 05:20 PM.
Skybird is offline   Reply With Quote
Old 05-03-18, 05:21 PM   #2
Skybird
Soaring
 
Skybird's Avatar
 
Join Date: Sep 2001
Location: the mental asylum named Germany
Posts: 40,336
Downloads: 9
Uploads: 0


Default

I see that the original German article meanwhile also has been officially translated:

https://www.heise.de/ct/artikel/Excl...s-4040648.html
__________________
If you feel nuts, consult an expert.
Skybird is offline   Reply With Quote
Old 05-03-18, 05:25 PM   #3
Skybird
Soaring
 
Skybird's Avatar
 
Join Date: Sep 2001
Location: the mental asylum named Germany
Posts: 40,336
Downloads: 9
Uploads: 0


Default

Quote:
One of the Spectre-NG flaws simplifies attacks across system boundaries to such an extent that we estimate the threat potential to be significantly higher than with Spectre.
(...)
Overall, the Spectre-NG gaps show that Spectre and Meltdown were not a one-off slip-up. It is not just a simple gap that could be plugged with a few patches. Rather, it seems that for each fixed issue, two others crop up. This is the result of the fact that during the past twenty years, safety considerations have only played second fiddle to performance in processor development.


An end to patches for hardware problems of the Spectre category is not in sight. But a never-ending flood of patches is not an acceptable solution. You can't shrug off the fact that the core component of our entire IT infrastructure has a fundamental security problem that will keep leading to more problems.
Nice.
__________________
If you feel nuts, consult an expert.
Skybird is offline   Reply With Quote
Old 05-03-18, 10:47 PM   #4
Sean C
Grey Wolf
 
Join Date: Jun 2017
Location: Norfolk, VA
Posts: 900
Downloads: 12
Uploads: 2


Default

It's the end of the world!!! Aaaahhhh!!!

Seriously, though: I always take as many precautions as I can against this kind of thing, and I will certainly continue to do so. But, you'll have to forgive me if I don't run around like my hair is on fire upon hearing this. It's a serious problem - no doubt about it. I just think people tend to get a little hyperbolic when assessing these kinds of threats.

There are many dangers when it comes to your personal information online - and as far as I can tell, there always will be. But, some common sense and a few precautions can go a long way to keeping your data and your finances safer. (I doubt that they will ever be completely safe ... anywhere.)
__________________
If you have a question about celestial navigation ... ask me!
Celestial Navigation Spreadsheet
Sean C is offline   Reply With Quote
Old 05-04-18, 06:31 AM   #5
Skybird
Soaring
 
Skybird's Avatar
 
Join Date: Sep 2001
Location: the mental asylum named Germany
Posts: 40,336
Downloads: 9
Uploads: 0


Default

If you think this is only about personal data theft, than you have not understood the dimension of the problem. Although personal data theft already is serious enough, when you consider login data for online shops and online banking/brokering, but also your profile: risk evaluation when you ask an insurance company for a policy, getting sniffed out when you ask an employer for a job, targetted advertisement by businesses as well as political parties, social bonus points and bad notes for you when analysis shows that you like or dislike like you should (or should not), and your typed in views being in line or not with the wanted public opinions and views... Look at China, they are doing right this now, it gets reported these days.

Think in terms of enforced remote control of IT infrastructure in cities, traffic infrastructures and institutions, hospitals, energy production - blackmailing, cyber warfare - oh wait - that hospitals get blackmailed by cyber attackers, already is a common practice now it seems.

Think in terms of taking over IT hardware - and everything that it controls. Think in terms of bot nets.

Like it is said somewhere in the articles: our complete IT infrastruture's security is rotten at the very core level already. And the easier it is to abuse these weaknesses, the more dangerous the situation becomes, and the more likely it becomes that attacks take place. Spectre NG represents such a dramatic simplification, in parts at least. I have read this morning that it got leaked that one of those eight vulnerabilities consists of only four brief lines of code injected in an environment that bases on the use of a VM. What the...? Just four lines of code to spell desaster?

It takes years to become a competent fencer and hit your opponent at 1 meter. But every every idiot can shoot and hit with a pistol at 10 meters. Thats why simplifying the execution of Meltdown- and Spectre-based attacks is so dangerous.
__________________
If you feel nuts, consult an expert.

Last edited by Skybird; 05-04-18 at 10:06 AM.
Skybird is offline   Reply With Quote
Old 05-05-18, 09:51 PM   #6
BarracudaUAK
Captain
 
Join Date: Apr 2016
Posts: 520
Downloads: 31
Uploads: 0


Default

Read the article...

I've seen several "before and after" benchmarks for Linux and Windows.
Several processors from Intel, and AMD were tested.
Meltdown usually resulted in performance losses, which varied by task.
Spectre had performance losses, but not to the degree of Meltdown.
(both were mostly I/O task, but some other task as well.)

Except for the FX8350, which after a Spectre patch ( I forget which atm), was actually faster on several task...

Maybe this is the next performance boost for my PC.

This is the list of a search with the word "spectre".
https://www.phoronix.com/scan.php?page=search&q=spectre

I'll see if I can dig up the benchmarks.

Barracuda
BarracudaUAK is offline   Reply With Quote
Old 05-06-18, 06:11 AM   #7
Skybird
Soaring
 
Skybird's Avatar
 
Join Date: Sep 2001
Location: the mental asylum named Germany
Posts: 40,336
Downloads: 9
Uploads: 0


Default

Ehem just to be clear, the thread and my links are about at least eight NEW vulernabilities, not so much about the already known ones.

And it seems to me that it will not stop there. Even less so when considering that the patching so far has introduced knew problems itself, and Microsoft is in open retreat from Windows regarding its quality assurance.

The whole hardware philosphy, especially for CPUs, is compromised. New hardware and chips also have to be put in question when considering that they get produced under influence of for exmaple known American and probably also unknown Chinese legislation that demands access for their intel services and thus hardware must and will have wanted security problems and backdoors that already get build into it in the factory.
__________________
If you feel nuts, consult an expert.
Skybird is offline   Reply With Quote
Old 05-06-18, 06:58 PM   #8
BarracudaUAK
Captain
 
Join Date: Apr 2016
Posts: 520
Downloads: 31
Uploads: 0


Default

Let me break this down...

Quote:
Originally Posted by Skybird View Post
Ehem just to be clear, the thread and my links are about at least eight NEW vulernabilities, not so much about the already known ones.
...

Let *me* be clear.

My post was about the 'new' bugs as well, in reference to the known bugs.


Quote:
Originally Posted by BarracudaUAK View Post
Read the article...
I read it, and *understand* what they are discussing.

However, IF:

Quote:
Originally Posted by Skybird View Post
...the patching so far has introduced knew problems itself...
Then these are not technically *NEW* vulnerabilities, but instead incomplete patches/buggy software patches that need to be corrected.

Quote:
Originally Posted by BarracudaUAK View Post
...
I've seen several "before and after" benchmarks for Linux and Windows.
...
I've been following this (this=Meltdown/Specte) regularly since at least early January, when a bunch of articles started covering it.
And more recently with Benchmarks used to determine where, and how much performance loss after the patches.

This part:
Quote:
Originally Posted by BarracudaUAK View Post
...
Several processors from Intel, and AMD were tested.
Meltdown usually resulted in performance losses, which varied by task.
Spectre had performance losses, but not to the degree of Meltdown.
(both were mostly I/O task, but some other task as well.)
...
was just a bit on info on where those patches had performance losses.
AND to setup this piece of info:

Quote:
Originally Posted by BarracudaUAK View Post
...
Except for the FX8350, which after a Spectre patch ( I forget which atm), was actually faster on several task...
...
Intel CPUs have Meltdown and the patches reduce performance (particularly in I/O).
Some INTEL and (AMD) Ryzen have Spectre.

And all of these suffer performance losses with the patches applied.

However . the FX-8350 had a performance _*GAIN*_.
I have a FX-8350, I'm typing on it now... SO...

Quote:
Originally Posted by BarracudaUAK View Post
...
Maybe this is the next performance boost for my PC.
...
This comment was 50/50 a joke, and a serious statement.

Joke side: phhbbtttt, patches will slow it down... it didn't last time!
Serious side: Well it was warned that it could be a sizable loss, but I actually got a fair gain, when all others did not. We shall see what happens this time.

*IF* the patches follow the same "curve", then my FX-8350 could very well get another performance boost. (I'm not saying this next set of patches will, but it is possible.)


Quote:
Originally Posted by BarracudaUAK View Post
...
This is the list of a search with the word "spectre".
https://www.phoronix.com/scan.php?page=search&q=spectre
...
If YOU want to look at the benchmarks for the last batch of patches for Spectre...
You might find the one I mentioned.
Also, you might get an idea of what to expect with any further performance losses/gains.

Quote:
Originally Posted by BarracudaUAK View Post
...
I'll see if I can dig up the benchmarks.

Barracuda
I don't have it bookmarked and I don't remember which one it was, but I will look for it and try to find it.
So *YOU* can see the results yourself.


Now on to the rest of your post:

Quote:
Originally Posted by Skybird View Post
...
And it seems to me that it will not stop there. Even less so when considering that the patching so far has introduced knew problems itself, and Microsoft is in open retreat from Windows regarding its quality assurance.
This is just reinforcing my first post in this thread, if the *new* bugs are from the first patches, then it's just buggy patches.

As far as Microsoft/Windows, They've had it far worse than Linux has (at least for me), as far as stability and performance is concerned.

Quote:
Originally Posted by Skybird View Post

The whole hardware philosphy, especially for CPUs, is compromised.
I don't recall most people I've ever talked to being overly concerned about security, they just want it *faster*.

When you put all of your valuables on a shelf acessible from the *outside* of your home, you should not be surprised if (/when) you find them missing.

Barracuda

Last edited by BarracudaUAK; 05-08-18 at 07:02 PM. Reason: Forgot a few words!
BarracudaUAK is offline   Reply With Quote
Old 05-06-18, 07:12 PM   #9
Skybird
Soaring
 
Skybird's Avatar
 
Join Date: Sep 2001
Location: the mental asylum named Germany
Posts: 40,336
Downloads: 9
Uploads: 0


Default

I did not want to give the impression that these new bugs are resulting from patching the old ones. The lousy patches for Intel CPUs as well as Microsoft microcode of the past 3 months or so just opened problems and technical issues as well - additionally to the old bugs and now new bugs. And quite some people who thought they made everything right when jumping on the initially recommended firmware updates deeply regretted it afterwards, too.

Nichts für ungut...

How things have changed. In years long gone by, you were safer when installing new microsoft updates as fast as possible. Nowadays you all too often are far better off if you avoid them as long as you can. My update options are on 30-35-365, and I set my cable connection to "metered". And even these settings are known to have been ignored and bypassed by Microsoft quite often in order to enforce their latest version 1803 on machines of people who did not want to serve in the first line of betatest lambs, but wanted to stick with 1709, or even 1703. Woody's list of what all is wrong with this months' update again, already is impressively long. No change to the past months' list, the past two years' lists. Some current entries are real bummers for those affected.
__________________
If you feel nuts, consult an expert.
Skybird is offline   Reply With Quote
Old 05-06-18, 07:48 PM   #10
BarracudaUAK
Captain
 
Join Date: Apr 2016
Posts: 520
Downloads: 31
Uploads: 0


Default

Quote:
Originally Posted by Skybird View Post
...
Nichts für ungut...
...
None taken.

I got to thinking about it as I was reading your previous post.
Subtly and Nuance don't always translate well.
So I decided to be "blunt" or "straight on" with my explanations of what I meant.

Quote:
Originally Posted by Skybird View Post
...
Woody's list of what all is wrong with this months' update again, already is impressively long. No change to the past months' list, the past two years' lists. Some current entries are real bummers for those affected.
This is one of the reasons I run a Linux Distro that stays pretty close to the "bleeding edge".
(Fedora does have automated test, backed up by user testing for updates.)
I'll play Linux native versions of games (example Kerbal Space Program), and/or use WINE.
I'm not screwed over by Windows constantly having problems due to Meltdown/Spectre.

But this does ruin it for Windows users that just want to use their computer.
Which is ultimately, the saddest part of the whole thing.

Barracuda
BarracudaUAK is offline   Reply With Quote
Old 05-23-18, 10:20 PM   #11
BarracudaUAK
Captain
 
Join Date: Apr 2016
Posts: 520
Downloads: 31
Uploads: 0


Default

Linux patches have started landing...


Some of these have links to additional information.


Spectre Variants 3A & 4 Exposed As Latest Speculative Execution Vulnerabilities:
https://www.phoronix.com/scan.php?pa...ulnerabilities


Linux 4.9, 4.14, 4.16 Point Releases Bring SSBD For Spectre V4:
https://www.phoronix.com/scan.php?pa...9-To-4.16-SSBD


And some early benchmarks:

An Initial Look At Spectre V4 "Speculative Store Bypass" With AMD On Linux
https://www.phoronix.com/scan.php?pa...-initial&num=1


From the last link:
Quote:
But for Intel users today if booting to a patched kernel you will find your system reporting it's still vulnerable to Spectre V4 and even with the spec_store_bypass_disable kernel option cannot be forced enabled: you first need an upgraded BIOS / CPU microcode. Intel is working on getting that out to motherboard vendors/partners for hitting end-users in the weeks ahead.
Just thought I would post here with what I've seen.


Barracuda
BarracudaUAK is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 04:25 AM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 1995- 2024 Subsim®
"Subsim" is a registered trademark, all rights reserved.