Major Intel CPU vulnerability
-
What process is Google Parlance? "Meltdown is Variant 3 in ARM, AMD, and Google parlance."
-
This statement certainly makes Intel's design a flaw, contradicting Intel's own statements: "Intel is badly hit by Meltdown because its speculative execution methods are fairly aggressive. Specifically, Intel CPUs are allowed to access kernel memory when performing speculative execution, even when the application in question is running in user memory space. The CPU does check to see if an invalid memory access occurs, but it performs the check after speculative execution, not before."
-
This is useful, ARM is not impacted but "will be in the future": AMD and ARM appear largely immune to Meltdown, though ARM’s upcoming Cortex-A75 is apparently impacted.
-
AMD Zen specifically has hardware that kills Spectre. So it's not a universal threat, even against procs that use all of the features that lead to it.
-
-
-
Our database vendor just reached out to tell us that 10-15% is the measured impact for our database.
-
@scottalanmiller said in Major Intel CPU vulnerability:
Our database vendor just reached out to tell us that 10-15% is the measured impact for our database.
That's substantial...
-
@scottalanmiller said in Major Intel CPU vulnerability:
Our database vendor just reached out to tell us that 10-15% is the measured impact for our database.
So does it affect performance only “after” it’s been patched?
-
-
@danp said in Major Intel CPU vulnerability:
Not surprising, unfortunately there is no way that they wouldn't be sued. If a patch has been developed this quickly, then there is clearly something majorly broken, but easily remedied.
-
@fredtx said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
Our database vendor just reached out to tell us that 10-15% is the measured impact for our database.
So does it affect performance only “after” it’s been patched?
Yes
-
-
Good article about how the likes of Vultr, Digital Ocean, Linode, and others are working together to try and solve the issues this creates. Sounds like they learned same time we did.
-
@zachary715 said in Major Intel CPU vulnerability:
Good article about how the likes of Vultr, Digital Ocean, Linode, and others are working together to try and solve the issues this creates. Sounds like they learned same time we did.
Which means Intel wasn’t disclosing to key vendors.
-
From my reading, they were disclosing to the big boys at Amazon, Microsoft, Google, but not to these other guys. So now they're scrambling.
I guess in reality you can't really reach out to EVERYONE affected immediately. You have to draw the line somewhere of who knows ahead of time and who doesn't. I just would have thought some of these providers were large enough to justify disclosure
-
@zachary715 said in Major Intel CPU vulnerability:
From my reading, they were disclosing to the big boys at Amazon, Microsoft, Google, but not to these other guys. So now they're scrambling.
Right, and that's what I think is terrible. Some customers (not us) get to know about security problems and we (and likely most of our vendors), do not. It's Intel's right to treat some customers like total shit, and it's our right to see them as dishonest pieces of crap that I don't trust at all.
-
@zachary715 said in Major Intel CPU vulnerability:
I guess in reality you can't really reach out to EVERYONE affected immediately.
Yes, you can. And they decided that they had other priorities that didn't involve their customers. They were focused on trying to hide as much as they could, for as long as they could; rather than being honest and doing the right thing.
And they totally screwed a lot of customers, big and small. They made it extremely clear that only the very biggest, most powerful companies that could sue the crap out of them get the "best" security protection. Everyone else is thrown to the wolves.
-
@zachary715 said in Major Intel CPU vulnerability:
I just would have thought some of these providers were large enough to justify disclosure
There is an easy guide for where to draw the line - anyone who purchased an Intel CPU was big enough to have gotten the flaw, and therefore had a right to know the instant Intel found out. Intel has an ethical, and hopefully legal, obligation to have informed their customers that they were (and are) at risk. Knowing that there was this risk and intionally hiding it should have major legal ramifications, beyond the financial ones.
There might be a time where it is okay to find a security hole and try to patch it. But once you are telling SOME customers, and not others, you've crossed a serious line.
For example, what if one of the big customers that they told was the NSA or the Russian or Chinese government, or some hacker group, a malware vendor, or anyone who has employees that aren't 100% trusted? These are big vendors with hundreds of thousands of employees to which this was disclosed. And we know that it was leaked to the public. That means that the bad guys knew before it went public.
I think that people are overlooking how insanely bad and anti-secure it is to pick a few giant companies to tell, but not others. It's not just that Intel likes those few and doesn't like the others. It's that Intel actively disclosed to a few companies how they could hack all of Intel's other customers.
Intel forced all of us to trust not only Intel (whom I no longer trust) but anyone that Intel trusted without telling us that they were selling out our security secrets.
-
Think of it another way, imagine if Intel made door locks. They discover that there is a way to unlock the doors without the key. They then call a bunch of your competitors and tell them about how your doors can be bypassed without you knowing.
That's exactly what Intel did. They sold the security secrets of the many, to a few partners with the deepest pockets. As far as I'm concerned, people should be going to jail over this.