schmidtbag:

And I can argue condifently the opposite of that. Remember, these vulnerabilities have been around for years and there is no evidence they have ever been exploited, even today. If malware authors were as successful as you claim, this problem would've been noted a long time ago. No, my point is since there are CPUs and OSes that can't/won't be patched, you don't want to unnecessarily draw attention to them, and how to exploit them. So in other words, in option A, you're not only told the door open, but you're also told where it is. In option B, you're told the door exists and is open, but not where it is. In option C, you're not told the door exists. There's a much smaller chance to exploit an open door that you don't know about. Understood, but it is possible to delay the inevitable, and in doing so, you can reduce the damage. This is what I find the most crucial. When you tell hackers there's a problem and give enough specifics about how to exploit it before a patch has been widely deployed, you are doing a disservice to the public. Right, in which case informing the public is totally fine. But I'm referring more to the hardware-specific problems, and problems where software updates can't realistically be deployed (such as many ARM systems). Except to my understanding, most (not all) of these security issues only affect a select few devs (particularly, OS/kernel devs). Seeing as many of these devs are the ones who discovered the vulnerabilities in the first place (suggesting it is important to them), it makes sense they would have the incentive to fix the problems without publicizing it. These are no ordinary security problems. Even at a hardware level, these are a bit unusual. The worst thing you can do about ethics or morality is assume they apply universally (they don't) which in turn affects whether the action is justifiable. That's why people get culture shock when visiting certain countries, or why political differences exist within a single country or across generations. I'm not saying that what these tens of thousands of people think is wrong - what I'm saying is there are exceptions. And in the case with these vulnerabilities, there is a glaring exception: Millions of devices will not be patched. By telling hackers a problem exists, who is affected, and how to exploit it, you are actively putting people in danger who may have no solution. That is indisputably unethical by any definition. It is not realistic to expect all of them to transition to a new platform. This is no ordinary security problem, and it should not be treated as such.

The hackers already knew a problem existed when the vector for vulnerability was disclosed in 2016 at blackhat conference. The better part of the netsec community knew about the vulnerability in relation to all Intel processors weeks before the disclosure, it was all over /r/netsec. That's my point - you aren't keeping this secret, the cat was out of the bag on both these exploits literally two years before it was disclosed and fully leaked and understood by the wider community two to three weeks before disclosure. So what exactly is the benefit of saying "we need to keep it secret for longer" when everyone knew about it weeks before the secret was up? It's not just kernel devs that need to know about exploits of this kind, its also architecture engineers designing hardware fixes, system validation engineers and software developers validating that the kernel devs are actually fixing the issue and not breaking a million other things, etc. It's across like 6+ different hardware vendors if not more when you consider Nvidia and whatnot also had to make changes in order to mitigate the problem in their drivers, plus countless other security vendors that implement ARM based SoCs in switches/firewalls/etc - they all need to be updated and patched and in order to do that they need to be fully knowledgeable about the exploit. By the time you're done 10K+ if not more people know about it - a portion of those people are engaged in the netsec community and it leaks everywhere. Which is exactly what happened. So idk, you're not keeping it secret and honestly even if you could I don't think the advantages outweigh the negatives. I want to know when my hardware/software is insecure and I want to be able to demand that companies fix it or know I need to replace hardware in order to be secure. I don't trust Intel to do it behind the scenes - hell even under public pressure to get it done they've dropped the ball and announced that half their hardware isn't even receiving a patch and countless delays. 180 days is generous and that itself is the exception, as the disclosure is typically 90 (unless your AMD then it's 24 hours looooool) - the extra time isn't even going to matter because the devices will never be patched regardless.

Denial:

The hackers already knew a problem existed when the vector for vulnerability was disclosed in 2016 at blackhat conference. The better part of the netsec community knew about the vulnerability in relation to all Intel processors weeks before the disclosure, it was all over /r/netsec. That's my point - you aren't keeping this secret, the cat was out of the bag on both these exploits literally two years before it was disclosed and fully leaked and understood by the wider community two to three weeks before disclosure. So what exactly is the benefit of saying "we need to keep it secret for longer" when everyone knew about it weeks before the secret was up?

I wasn't aware of any of that. I've only heard how companies like Google, Intel, and MS knew of the problem. So at that point yes, I don't see a point in keeping it a secret any further (largely because at that point, it isn't a secret anymore) and therefore I would have to agree with everything else you said in previous posts.

BLAH BLAH BLAH until someone actually gets hacked via Spectre or Meltdown then I'd rather not keep hearing about it thanks we all know by now that all of the Spectre attack paths require local machine access and considerable knowledge and effort to affect a machine but that's it one machine big deal

It is tiring and irrelevant to guru3d. We are not a cybersec or hacking tips site. I can only tolerate this rubbish only for performance loss meaning benchmarks. Anything more it is headache and food for nerds or no lifers. HH please stop these kind of news as they are uninteresting for the real life pc user / gamer.

warlord:

It is tiring and irrelevant to guru3d. We are not a cybersec or hacking tips site. I can only tolerate this rubbish only for performance loss meaning benchmarks. Anything more it is headache and food for nerds or no lifers. HH please stop these kind of news as they are uninteresting for the real life pc user / gamer.

It is very relevant to G3D. Our hardware is the target of these sort of threats. We need to know all there is to know as quickly as we can whenever such threats may exist.

I actually flashed back to Microcode 22 for my CPU, cuz the Spectre Fix causes all kinds unexplainable issues.

performance hit is up to 8% on intel cpus. i find it concerning the reaction time of intel and microsoft has been so slow to these problems patches for linux are already available for all the stable kernel kernels, just waiting on intel to provide microcode, it should be noted that this exploit can be mitigated the same way as some of the other spectre exploits, lowering the timer resolution makes it much more difficult to use, web browsing should still be relaticely safe even on machines without the required microcode

Thankfully this will never affect me nor most users

vonSternberg:

So has anyone ever been affected by either Spectre or Meltdown? All I see is news about "new vulnerabilities" but never have I heard of someone actually having problems with this thing. Google only yields results to said news.

Nope, but I know it has affected databases and other systems in some companies, but for a regular user/gamer it's not really something you need to worry about

Athlonite:

BLAH BLAH BLAH until someone actually gets hacked via Spectre or Meltdown then I'd rather not keep hearing about it thanks we all know by now that all of the Spectre attack paths require local machine access and considerable knowledge and effort to affect a machine but that's it one machine big deal

And you still comment on it then although you're not interested in hearing about it? 😉 No wonder nobody can do a real perfromance review of the crippled Intel CPUs, because not only @Hilbert Hagedoorn would probably need a week just for doing that, but he can't since before he'd be finished he'd need to start all over because of another Intel CPU sec flaw 😀

I seriously don't believe this shit anymore. Just ignore this kind news. Will they patch and protect all their hardwares? NO!?.. Why not??! Are we safe with Linux already? YES?.. Wake the fk up!

knowing the problem important, but no matter what .... there no perfect-secure anyway human-build will always have flaw... and there cat&mouse play, between exploit and patches no other way than accept it... and just let those chip-maker/designer+software programer solve issue after issues if cant accept it, then exile yourself in offline-world

In other news, there are hackers but we can't seem to find any of them making a living doing this. but to be safe we should all toss out our computers before they become infected.

Just thought I'd mention that InSpectre #8, latest version as of five minutes ago when I double checked, does not appear to check for Spectre 3a and Spectre 4 at all, as of the present moment. So, fat lot of good that does at the moment--but this is obviously not the author's fault--read on...I certainly share everyone's obvious disdain for all of this and wonder what's really going on here--I mean, the way it is supposed to work is that the Project Zero hackers (Google, et al) are supposed to let AMD, Intel, and Microsoft, and whom else may be affected, know about these conjectured and theoretical "vulnerabilities" a whole 90-days before the information is made public, and even the 90-days is not written in stone, the hackers could actually give the companies a year or more if they wanted. The *only* reason that I can see for discovering this stuff and two days/two weeks later making it public is because of malware discovered in circulation that actually depends on the vulnerability in order to function as some type of malware. So...*why* all of this rush to fix vulnerabilities without any known incidents of Spectre/Meltdown malware having been discovered anywhere in public domain circulation? The answer to that question will tell us a lot, imo. I'm not sure we are going to *get* a straight answer on that, unfortunately. The entire idea of these things being some kind of back-door for the NSA, or FBI, or KGB, whomever, is, I think, very much mistaken simply because in that case the manufacturers of the cpus would certainly *know* about them as they'd have to be designed into the cpus deliberately prior to them being manufactured and shipped. Obviously, nothing like that is going on. My opinion for what it's worth is as follows: I don't mind the patches, Windows or cpu microcode via bios updates, so long as cpu performance is not sacrificed--my personal threshold for cpu degradation is a 1-2% absolute maximum slowdown for these cpu microcode fixes, under a very narrow set of conditions, and of course preferably no performance loss at all. I also prefer bios microcode updates to OS-delivered microcode updates because then the fixes remain in place when the OS is reinstalled or when another OS is employed on the same general hardware and cpu. I was pleased to see that MSI rectified the Spectre 2 cpu microcode slowdown imposed by their first attempt via a bios update--I was concerned after their first attempt because the performance penalties were stiff in certain cases and I had no trouble demonstrating or repeating them. Next bios release fixed 99% of it! This gives me hope that at least on my current AMD hardware the Spectre4 (AMD says it hasn't found any vulnerabilities to 3a as of yet) cpu microcode patches applied in a bios release won't exact stiff performance penalties after all. I conclude by saying that it's obvious that most of us find the performance so far of the "project zero" people to be very amateurish, and that's being flattering to them, I think. I can see by the tone and tenor of the posts ahead of mine that we are all pretty much sick and tired of this kind of thing. To add insult to injury, next we have to put up with fraudulent "companies" sprouting up from literally nowhere to make all kinds of bogus claims--like for instance calling access to a machine plus administrator rights a "vulnerability" when in fact that is exactly what Admin mode is supposed to supply the end user--access to his own computer/workstation..! So who is doing this for various shady financial reasons, etc.? We know the outright frauds are doing it for that motive, obviously. But what about the rest? What a mess Google has helped make, imo. Someone has declared war on x86 PC cpus for some reason, apparently. Motive speculations anyone?

Oh dear , will this ever end :/

waltc3:

Just thought I'd mention that InSpectre #8, latest version as of five minutes ago when I double checked, does not appear to check for Spectre 3a and Spectre 4 at all, as of the present moment. So, fat lot of good that does at the moment--but this is obviously not the author's fault--read on...I certainly share everyone's obvious disdain for all of this and wonder what's really going on here--I mean, the way it is supposed to work is that the Project Zero hackers (Google, et al) are supposed to let AMD, Intel, and Microsoft, and whom else may be affected, know about these conjectured and theoretical "vulnerabilities" a whole 90-days before the information is made public, and even the 90-days is not written in stone, the hackers could actually give the companies a year or more if they wanted. The *only* reason that I can see for discovering this stuff and two days/two weeks later making it public is because of malware discovered in circulation that actually depends on the vulnerability in order to function as some type of malware. So...*why* all of this rush to fix vulnerabilities without any known incidents of Spectre/Meltdown malware having been discovered anywhere in public domain circulation? The answer to that question will tell us a lot, imo. I'm not sure we are going to *get* a straight answer on that, unfortunately. The entire idea of these things being some kind of back-door for the NSA, or FBI, or KGB, whomever, is, I think, very much mistaken simply because in that case the manufacturers of the cpus would certainly *know* about them as they'd have to be designed into the cpus deliberately prior to them being manufactured and shipped. Obviously, nothing like that is going on. My opinion for what it's worth is as follows: I don't mind the patches, Windows or cpu microcode via bios updates, so long as cpu performance is not sacrificed--my personal threshold for cpu degradation is a 1-2% absolute maximum slowdown for these cpu microcode fixes, under a very narrow set of conditions, and of course preferably no performance loss at all. I also prefer bios microcode updates to OS-delivered microcode updates because then the fixes remain in place when the OS is reinstalled or when another OS is employed on the same general hardware and cpu. I was pleased to see that MSI rectified the Spectre 2 cpu microcode slowdown imposed by their first attempt via a bios update--I was concerned after their first attempt because the performance penalties were stiff in certain cases and I had no trouble demonstrating or repeating them. Next bios release fixed 99% of it! This gives me hope that at least on my current AMD hardware the Spectre4 (AMD says it hasn't found any vulnerabilities to 3a as of yet) cpu microcode patches applied in a bios release won't exact stiff performance penalties after all. I conclude by saying that it's obvious that most of us find the performance so far of the "project zero" people to be very amateurish, and that's being flattering to them, I think. I can see by the tone and tenor of the posts ahead of mine that we are all pretty much sick and tired of this kind of thing. To add insult to injury, next we have to put up with fraudulent "companies" sprouting up from literally nowhere to make all kinds of bogus claims--like for instance calling access to a machine plus administrator rights a "vulnerability" when in fact that is exactly what Admin mode is supposed to supply the end user--access to his own computer/workstation..! So who is doing this for various shady financial reasons, etc.? We know the outright frauds are doing it for that motive, obviously. But what about the rest? What a mess Google has helped make, imo. Someone has declared war on x86 PC cpus for some reason, apparently. Motive speculations anyone?

few things, the first of these exploits were disclosed to hw vendors 6 months prior to public disclosure, project zero has been very professional about the whole thing, they have provided extensions to their deadlines frequently when asked,they even provided a way to mitigate spectre and spectre 2 (retpoline) without needing a microcode update on most cpus, it is microsoft and intel who have been slow to fix their their products. the fact that the latest stable linux kernels already has support for spectre v4/3a mitigation and amd already had microcode available for it goes to show how slow microsoft and intel are to react. there is no excuse, intel and microsoft arent putting as high of a priority on this as they should , thats the fact of the matter. The main reason for putting deadlines on these things is so that they actually attempt to fix their products, there have been plenty of times where Microsoft ignored serious security problems for months, and only fixed it once it became public. this is not their first rodeo. the inspectre tool couldn't detect spectre mitigation for v3a/4 even if it wanted too since the windows patches are not available yet, and when they do land they will be disabled by default since the perf hit is expected to be up to 8% in some senarios on intel cpus I do think its good that this stuff is disclosed, it means that eventually we might have cpus that aren't swiss cheese one day. also, The fun part about this is that these aren't the high risk exploits that intel received a deadline extension for. Wonder how much performance those will eat.