Intel claims CPU security flaw not unique to its chips, implies ARM and AMD chips could be...

2

Comments

  • Reply 21 of 49
    foggyhillfoggyhill Posts: 4,767member
    dewme said:
    Intel's response is a bit vague but it almost sounds like CPU features put in place to allow kernel mode debug tracing and monitoring may be susceptible to nefarious hacking? I do know that companies like Intel (and pretty much all product manufacturers) are very adamant about never using or allowing words like "defect" and "flaw" to be used in association with their products, both internally and externally. This is due to product liability concerns and forced transparency of Title 21 CFR Part 11 regulations in certain industries. No surprise at all that Intel is getting out in front of this and squashing those words from the developing narrative. 

    I'm willing to give Intel the benefit of the doubt and take a wait-and-see approach. They do seem to have some pretty sharp business and engineering minds in their ranks. Let's see what they will do in conjunction with their OS vendor partners.

    Just my opinion, but I've always found that the least productive and most damaging reaction to anything that like this is panic. Panic coupled with a lack of data, speculation, and insufficient understanding of the issue will most certainly latch the Bozo Bit and cause normally stable people to do really stupid things, like wrapping their PC in tin foil and burying it in the backyard, or reverting to using an abacus as their only computing device. Hopefully the media won't run amok with this like they so often do with anything Apple related.  
    Actually, Intel's reaction is expected, keeping cool and underplaying this is always the first reaction in those cases. The issue is not that Amazon, or Windows will have a fix, it's that this fix will be certainly not be propagated widely leaving a huge web of vulnerable machines all over the place (like old Android phones basically). Once they're issued the fix, people at intel want to move on say that all is fine now ignoring the mess of insecurity they left in their wake (again like Google).

    That we've been raised to tolerate in tech what we would not tolerate in any other sphere is what I find outrageous; companies exploit people's placidity and meh attitude in the face of what would be considered big risks in other industries.

    Why would they change if producing crappy unsecure products is expected from them them and nobody really makes them pay for it.
    edited January 2018 magman1979cornchip
  • Reply 22 of 49
    foggyhillfoggyhill Posts: 4,767member
    I don't care if every CPU is compromised.. I still want a replacement or a refund.
    I’m curious on what grounds you actually may have the right to either of the two. Apart from commons sense of course, just I don’t think IBM (or the OEM for that matter) promised the absence of this particular flaw. So you’re in the arena if “general quality expectations” relate to state of the art etc. I suppose? 
    Any legal insight into this would be welcome. 
    Well, if you've bought a computer to do task X and it can't fullfill it, it could be consumer fraud or some other similar things.
  • Reply 23 of 49
    wood1208 said:
    By the time some hacker understands how to exploit the flaw, patch is already in place. No foul No harm!!.
    Except the hit to performance.
    Doesn't appear to be one on the Mac. What appears to be most of the fix was implemented in 10.13.2.
    That’s good news.
  • Reply 24 of 49
    volcan said:
    AMD denies its processors have the same vulnerability.

    Email from Tom Lendacky SMTS Software Engineer - ‎AMD

    From Tom Lendacky <>
    Subject [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
    Date Tue, 26 Dec 2017 23:43:54 -0600

    AMD processors are not subject to the types of attacks that the kernel
    page table isolation feature protects against.  The AMD microarchitecture
    does not allow memory references, including speculative references, that
    access higher privileged data when running in a lesser privileged mode
    when that access would result in a page fault.

    Disable page table isolation by default on AMD processors by not setting
    the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
    is set.

    Signed-off-by: Tom Lendacky <[email protected]>
    ---

    That’s good news for the new AtariBox :)
  • Reply 25 of 49
    foggyhill said:
    I don't care if every CPU is compromised.. I still want a replacement or a refund.
    I’m curious on what grounds you actually may have the right to either of the two. Apart from commons sense of course, just I don’t think IBM (or the OEM for that matter) promised the absence of this particular flaw. So you’re in the arena if “general quality expectations” relate to state of the art etc. I suppose? 
    Any legal insight into this would be welcome. 
    Well, if you've bought a computer to do task X and it can't fullfill it, it could be consumer fraud or some other similar things.
    Sure. Just I would guess that as a consumer you didn’t get the promise that a) its so task xyz in a fixed amount of time, b) you’re entitled to any fix on bugs discovered later on, c) any fix or update will not impact performance. 

    IMO this case does not compare easily to e.g. Dieselgate where you as co Sumer were promised a specific set of features or properties, and later you’d find that it’s an XOR between performance and pollution. 

    Basically, what if an OEM would simply not update? As in many Android devices? You likely won’t succeed in suing the manufacturer along the lines of “hey, I’m entitled to x amounts of updates” or similar. 

    On the other hand I would expect some reasonable level of state of the art implemented. And this includes for me aspects of security and speed. So the question to me circles around: can I prove that the product is defective from a product liability standpoint beyond explicitly promised properties or features. 
  • Reply 26 of 49
    gatorguygatorguy Posts: 23,380member
    wood1208 said:
    By the time some hacker understands how to exploit the flaw, patch is already in place. No foul No harm!!.

    Except over a billion Android devices that will never see a patch to fix this.
    First in.... :/


    edited January 2018
  • Reply 27 of 49
    gatorguygatorguy Posts: 23,380member
    wood1208 said:
    By the time some hacker understands how to exploit the flaw, patch is already in place. No foul No harm!!.

    Except over a billion Android devices that will never see a patch to fix this.
    https://support.google.com/faqs/answer/7622138
  • Reply 28 of 49
    nhtnht Posts: 4,522member
    gatorguy said:
    wood1208 said:
    By the time some hacker understands how to exploit the flaw, patch is already in place. No foul No harm!!.

    Except over a billion Android devices that will never see a patch to fix this.
    https://support.google.com/faqs/answer/7622138
    That doesn’t help the multitude of android phones that don’t get updates or security fixes.  None of my android phones will ever see this fix and they are younger than the iPhone 6 I’m using.
    magman1979ericthehalfbeewilliamlondonwatto_cobra
  • Reply 29 of 49
    polymniapolymnia Posts: 1,062member
    lkrupp said:
    I don't care if every CPU is compromised.. I still want a replacement or a refund.
    Then lawyer up, dude. Wanting and getting are not related.
    That, and...

    hopefully you you have some evidence that a task you did easily yesterday is seriously impeded tomorrow. 

    My Mac is working just fine. 
    williamlondonwatto_cobra
  • Reply 30 of 49
    gatorguy said:
    wood1208 said:
    By the time some hacker understands how to exploit the flaw, patch is already in place. No foul No harm!!.

    Except over a billion Android devices that will never see a patch to fix this.
    https://support.google.com/faqs/answer/7622138

    We all know Google fixes security exploits fairly quickly.

    The problem is the majority of devices never receive these fixes. And since this is (yet again) a low-level exploit, Google Play Services can’t (yet again) do anything about it.
    watto_cobra
  • Reply 31 of 49
    Rayz2016Rayz2016 Posts: 6,957member
    lkrupp said:
    I don't care if every CPU is compromised.. I still want a replacement or a refund.
    Then lawyer up, dude. Wanting and getting are not related.
    Unless he can prove physical harm, then he doesn’t have a leg to stand on. 

    His best bet would be some sort of class action based on insider trading perhaps, since it has come to light that Intel's CEO dumped $24million in company stock soon after he was made aware of the problem. 

    http://uk.businessinsider.com/intel-ceo-krzanich-sold-shares-after-company-was-informed-of-chip-flaw-2018-1?r=US&IR=T

    He now holds the minimum stock required by his contract of employment. 
    edited January 2018 watto_cobra
  • Reply 32 of 49
    Rayz2016Rayz2016 Posts: 6,957member
    It’s always been my understanding that Apple’s processors are not really ARM chips at all: they’re custom silicon that just happens to use the ARM instruction set. 

    If this is the case then they might not be affected by this. 
    On the other hand, they might be affected by something else. 
    cornchipwatto_cobra
  • Reply 33 of 49
    Update: "The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants," AMD said in a statement. "Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time."
    This is true, AMD is not susceptible to all three variants ... just one of them. 

    And the lines about zero or near zero risk is only about the other two variants.
    For the variant they are susceptible to, AMD is saying it can be "resolved by software / OS updates".   (sound familiar?)

    Source
    watto_cobra
  • Reply 34 of 49
    "these exploits do not have the potential to corrupt, modify or delete data" (Intel statement) is not contrary to "an attacker could likely steal "any data on the system"" (later ZDNet post).
    randominternetpersonwatto_cobra
  • Reply 35 of 49
    k2kwk2kw Posts: 2,068member
    nht said:
    gatorguy said:
    wood1208 said:
    By the time some hacker understands how to exploit the flaw, patch is already in place. No foul No harm!!.

    Except over a billion Android devices that will never see a patch to fix this.
    https://support.google.com/faqs/answer/7622138
    That doesn’t help the multitude of android phones that don’t get updates or security fixes.  None of my android phones will ever see this fix and they are younger than the iPhone 6 I’m using.
    If you use an android phone you really don't care about security.   So just don't let anyone get a hold of your phones and it won't matter that there is no fix.
    watto_cobra
  • Reply 36 of 49
    nhtnht Posts: 4,522member
    k2kw said:
    nht said:
    gatorguy said:
    wood1208 said:
    By the time some hacker understands how to exploit the flaw, patch is already in place. No foul No harm!!.

    Except over a billion Android devices that will never see a patch to fix this.
    https://support.google.com/faqs/answer/7622138
    That doesn’t help the multitude of android phones that don’t get updates or security fixes.  None of my android phones will ever see this fix and they are younger than the iPhone 6 I’m using.
    If you use an android phone you really don't care about security.   So just don't let anyone get a hold of your phones and it won't matter that there is no fix.
    I give them to my kids because ScreenTime works better on android than iOS.  And nope I don’t care but the implication that the majority of deployed Android devices won’t remain vulnerable because Google has a patch for the latest devices is clearly false.

    Gatorguy likes to pretend to be the voice of reasoned opposition but invariably posts idiocy like this showing his true purpose here. Concern trolling and spreading false equivalency.
    edited January 2018 StrangeDayswatto_cobra
  • Reply 37 of 49
    cornchipcornchip Posts: 1,902member
    Rayz2016 said:
    It’s always been my understanding that Apple’s processors are not really ARM chips at all: they’re custom silicon that just happens to use the ARM instruction set. 

    If this is the case then they might not be affected by this. 
    On the other hand, they might be affected by something else. 
    I was wondering this myself.
    watto_cobra
  • Reply 38 of 49
    StrangeDaysStrangeDays Posts: 12,067member
    nht said:
    k2kw said:
    nht said:
    gatorguy said:
    wood1208 said:
    By the time some hacker understands how to exploit the flaw, patch is already in place. No foul No harm!!.

    Except over a billion Android devices that will never see a patch to fix this.
    https://support.google.com/faqs/answer/7622138
    That doesn’t help the multitude of android phones that don’t get updates or security fixes.  None of my android phones will ever see this fix and they are younger than the iPhone 6 I’m using.
    If you use an android phone you really don't care about security.   So just don't let anyone get a hold of your phones and it won't matter that there is no fix.
    I give them to my kids because ScreenTime works better on android than iOS.  And nope I don’t care but the implication that the majority of deployed Android devices won’t remain vulnerable because Google has a patch for the latest devices is clearly false.

    Gatorguy likes to pretend to be the voice of reasoned opposition but invariably posts idiocy like this showing his true purpose here. Concern trolling and spreading false equivalency.
    Nailed it. 
    watto_cobra
  • Reply 39 of 49
    tipootipoo Posts: 1,120member
    Bit of a swerve from Intel. Only the weaker, far less probable flaw impacts AMD, while the more severe flaw impacts Intel. They word it as if they're both equally bad off. 
    watto_cobra
  • Reply 40 of 49
    gatorguygatorguy Posts: 23,380member
    nht said:
    k2kw said:
    nht said:
    gatorguy said:
    wood1208 said:
    By the time some hacker understands how to exploit the flaw, patch is already in place. No foul No harm!!.

    Except over a billion Android devices that will never see a patch to fix this.
    https://support.google.com/faqs/answer/7622138
    That doesn’t help the multitude of android phones that don’t get updates or security fixes.  None of my android phones will ever see this fix and they are younger than the iPhone 6 I’m using.
    If you use an android phone you really don't care about security.   So just don't let anyone get a hold of your phones and it won't matter that there is no fix.
    I give them to my kids because ScreenTime works better on android than iOS.  And nope I don’t care but the implication that the majority of deployed Android devices won’t remain vulnerable because Google has a patch for the latest devices is clearly false.

    Gatorguy likes to pretend to be the voice of reasoned opposition but invariably posts idiocy like this showing his true purpose here. Concern trolling and spreading false equivalency.
    Oh, geez...
    What did I post that was "idiocy", a link to a Google FAQ? You're certainly not referring to any opinion from me since I didn't write one.  Some posters here can act so Strange* at times, knee-jerk reacting to a person instead of what they wrote. Don't be one of those posters, be smarter than that. 
    edited January 2018 durandal_1707muthuk_vanalingamr2d2singularity
Sign In or Register to comment.