Newer AMD Ryzen chips have SQUIP vulnerably
Click here to post a comment for Newer AMD Ryzen chips have SQUIP vulnerably on our message forum
PrMinisterGR
Crap.
Makes me wonder how many of these were known by intelligence agencies all this time.
anticupidon
BLEH!
Maybe it's time for some ground-up architecture design with security at the heart of it...
southamptonfc
cucaulay malkin
H83
BLEH!
Horus-Anhur
Agonist
tunejunky
mbk1969
schmidtbag
I'm so bored of vulnerabilities that require physical access to the device. Vulnerabilities aren't worth anyone's concern if you have to physically be there to exploit them. While the article doesn't mention this, someone on another forum quoted a part of the publication that suggested this is the case. It's even more stupid when the exploit can be fixed via better development practices. At that point, why care at all? That's like writing a program that doesn't hide your password when you type it in - should AMD or Intel be expected to patch the CPU because of developer negligence?
In any case, seems like SMT/HT really needs to be ditched. Intel's method has so many security holes that it hardly yields any performance advantage anymore. To my understanding, AMD's method is almost a physically complete second core, in which case: why not just make another physical core?
Not much point. Might as well just disable most of the features that make these so vulnerable in the first place.
For most of such companies, you need to go through multiple layers of security. I've been to companies where someone has to let you into the building, you get a body scan, you then get a special keycard, there are security guards patrolling the server room, and there are cameras everywhere. There's no phone connection or wifi in the server room, and nothing is allowed to leave the server room. Many of the servers are not connected to the internet. We're talking server rooms with hundreds of millions or even billions of dollars worth of servers, where you won't be able to extract anything useful out of just any single one of them with anything you can sneak out (especially as things like Kubernetes gets more popular, where a single server might not be processing enough data to be of any use). The easiest way to destroy such an organization is to just play dominoes with the server racks by just pulling all the drawers out.
TL;DR: the risk of attempting to exploit these on-site vulnerabilities is too high to be worthwhile, and if you have the opportunity to exploit them, there are easier alternatives.
Horus-Anhur
mbk1969
Horus-Anhur
mbk1969
BLEH!
Horus-Anhur
schmidtbag
Celcius
I know someone, who upon learning this, will be quite pleased to find that his decision to grab the R5 3500X will give him the last laugh after all.
"QUIP affects all other Ryzen, Athlon, Threadripper, and EPYC processors with SMT. Excluding Ryzen 1, 2 and 3." (???)