In addition, updates in the microcode, which Intel is likely to have in the works, could cause calculations to be performed 2 to 19 times slower on certain workloads, so this is a big one. The expectation is that these software updates simply will not get installed by many due to that performance hit.

Okay, 19 time slower means what now? This is a language question since 2 times slower means twice the time needed, 19 times slower means 19 times the duration needed for calculations? That would be a huge hit... practically making the CPUs all but unsuable for such scenarios. If I understood this correctly.

Yeah, saw this on the Linux Newsfeed, wanted to share it here but I just ignore it. At this point, it's just beating a dead horse. Don't get me wrong, I want all CPUs to be secure, regardless of brand, but it seems that's the price we pay for branch prediction or another way of data prediction, just to gain more computational speed. It's the same triangle: performance security price choose 2 you can't have all 3.

I understand these researchers are doing it for press coverage, but don't they have anything else better to do? Watch movies, drink beer, enjoy life?

Security people are ever the paranoid. Enjoy life? They are quite enjoying it, but making money in security field. But their way of enjoyment wildy varies from the average person.

yeeeeman:

I understand these researchers are doing it for press coverage, but don't they have anything else better to do? Watch movies, drink beer, enjoy life?

It's their job. They do it to get money for watching beer, drinking movies, and lifing enjoyment.

Bring it on! With the world consumed by COVID 19, Intel vulnerabilities are more of a laughing matter now. Surprised anyone gives a crap anymore.

Source link has been removed / does not exists

The problem here is that while gamers can skip all the patches, and they probably should if they are just gaming, enterprise just can't. If the microcode update are slower enough, that may be a problem for intel.

More performance reductions. My 4770K... i mean Pentium 3 by now is ready!

AMD fires back boom! 😱

who needs security when you have all that speed?

My god, maybe with more 34 patches mine i9 can be beated by ryzen 3800x

anticupidon:

Security people are ever the paranoid. Enjoy life? They are quite enjoying it, but making money in security field. But their way of enjoyment wildy varies from the average person.

I would argue you can't fully enjoy life if you live in fear. That doesn't mean you should be irresponsible about proper safety, but happiness is limited by those who have so little trust in others that they feel a need to sacrifice convenience and practicality in their personal lives. Sure, some people don't mind the inconveniences, and some no longer live in fear as a result of their added security. But the fact they have so little faith in humanity to bring them to such a point is still a bleak look at society. In another perspective: I would feel safer to triple-lock my doors, arm myself everywhere I go, use a VPN, use 2-step authentication to unlock my phone, and encrypt the drives on all of my devices. But if I really felt the need to do such things, that should mean I have a good reason to believe harm will come to me. If that's the case, I'm either living in a place that's too dangerous, or, I did something to make someone want to hurt me, in which case such methods of security aren't sufficient. I think it's critically important to take security seriously for businesses and governments, but when it comes to your own personal day to day life, there is a point where paranoia will spoil your happiness.

I'm certain that AMD is happy its cpus are invulnerable to Meltdown attacks. "Meltdown"--these names are so silly--it's like they think, "How can we name them in order to scare people?" It's like COVID-19--common flu strains are far, far worse in lethality and rates of infections every year--COVID-19 isn't a microscopic patch on the flu--but what do people worry about? "COVID-19"--sometimes I despair of the human race...

The research paper pdf is here: https://lviattack.eu/lvi.pdf It's Abstract includes the following interesting section... "Fully mitigating our attacks requires serializing the processor pipeline with lfence instructions after possibly every memory load. Additionally and even worse, due to implicit loads, certain instructions have to be blacklisted, including the ubiquitous x86 ret instruction. Intel plans compiler and assembler-based full mitigations that will allow at least SGX enclave programs to remain secure on LVI-vulnerable systems. Depending on the application and optimization strategy, we observe extensive overheads of factor 2 to 19 for prototype implementations of the full mitigation." Bitdefender states: https://www.bleepingcomputer.com/news/security/new-lvi-intel-cpu-data-theft-vulnerability-requires-hardware-fix/ "This is not an average, run-of-the-mill malware attack that one would use against home users for instance." "This is something that a determined threat actor, such as a hostile government-sponsored entity or a corporate espionage group would use against a high-profile target to leak mission-critical data from a vulnerable infrastructure. "Although difficult to orchestrate, this type of attack would be impossible to detect and block by existing security solutions or other intrusion detection systems and would leave no forensic evidence behind." Check out "Daniel Gruss" YouTube page for an interesting, just released (yesterday), assembly language LVI demo. It would be extremely interesting to find out just how much security compromise has taken place in the never ending "desire to be the fastest" and/or 'optimisation' of prediction pathways. As consumers, we should be extremely grateful to researchers in the work they do - never leave it to a manufacturer to always do the right thing. While not naming names, there is...shall we say...a pattern? On the other hand, these are extremely complex devices. Keeping track of an increasing number of potential 'what-if' misses will become increasingly problematic...A.I. anyone?

One thing that I don't see mentioned enough is the nature of actual exploit 'kits' in the wild. It is very rare to see monolithic exploits being used in an attack. Instead 'kits' come packaged with many interconnected exploits all designed to breach a specific level of security culminating in a full compromise. While an individual exploit might be tough to use on its own to accomplish much, every newly discovered exploit gives each phase of an attack additional methods to become successful.

Mesab67:

It would be extremely interesting to find out just how much security compromise has taken place in the never ending "desire to be the fastest" and/or 'optimisation' of prediction pathways. As consumers, we should be extremely grateful to researchers in the work they do - never leave it to a manufacturer to always do the right thing. While not naming names, there is...shall we say...a pattern? On the other hand, these are extremely complex devices. Keeping track of an increasing number of potential 'what-if' misses will become increasingly problematic...A.I. anyone?

Not so much compromises but certainly ego driven "Heh, no one is smart enough to figure out how to mess with this". There is also a huge issue with it being very difficult to account for all potential misuse circumstances. You are 1 billion % right about AI. The next generation of CPU development needs AI unleashed on it to determine what can be breached or misused for unintended access. If chip makers all get together and make a commitment to a new way of creating processors we are going to end up with a very interesting delineation in technology history. We will end up with the "insecure era" and "more secure era" resulting in a nearly unfathomable amount of technology considered to be obsolete in the modern world no matter how well it performs. The e-waste problem that results from this is going to be disgusting.

waltc3:

It's like COVID-19--common flu strains are far, far worse in lethality

No they aren't. I also have no idea what this has to do with naming of attack schemes. No one I know calls the ongoing coronavirus, COVID-19 - it's only used in scientific publications or news releases, whereas meltdown is a name for the masses. So it's literally the opposite as far as my experience.

Intel Management Engine (ME) Firmware Version 12.0.49.1556 (S&H)(1.5Mo) Is this the new patch that makes it slower? Because I did the mistake and installed it already. If that's the case, I'll re-install the slightly older one Intel Management Engine (ME) Firmware Version 12.0.49.1534 (S&H)(1.5Mo) I also use the InSpectre utility in order to disable the old ones that make the CPU slower in certain aspects. I want my gaming PC with Intel CPU and all its holes open, but all the performance untouched. I never even use banking or Credit card on this PC. Nothing that worries me. Simply want the performance it was indented for.

You will never convince me that all these side-channel attacks have value for "professional" malware hackers. Why waste your time in trying to see valuable information in bits of cache memory when you can simply take remote "root" control on millions and millions of computers of uneducated users by sending them letters with fake links (and even software) promising something, or by putting "bad" versions of software to file servers (torrents)? And speaking about bank operations, as I take it most of the users use smartphones for that. I guess, such researches are valuable for researchers themselves: they got reputation, they got grants, probably they even got Ph.D.