WE ARE ALL DOOMED!
Thread Starter
Join Date: Nov 2002
Location: Tapping the Decca, wondering why it's not working.
Age: 75
Posts: 166
Received 0 Likes
on
0 Posts
https://www.theregister.co.uk/2018/0...u_design_flaw/ has what is currently known. To the public anyway.
'a
'a
Join Date: Jun 2009
Location: Canada
Posts: 464
Likes: 0
Received 0 Likes
on
0 Posts
Basically, it seems to allow programs to access memory that they shouldn't be able to access, so malware could potentially do things like read passwords and encryption keys that are supposedly 'safely' stored inside the operating system where no application should be able to read them. From what little that's been released, it seems to be a problem with the way Intel CPUs will execute instructions and then throw the results away if it later turns out that the instruction wasn't meant to be executed (including if it's trying to access memory that it wasn't allowed to access).
And, given the rush to fix it, it would appear to be a serious problem.
On the plus side, the fix is unlikely to have much impact on normal desktop users. But could be a big performance hit on servers, particularly those running VMs (aka 'the cloud! the cloud!').
However the bug may work, someone claims to have been able to use it to read memory in one VM from another. Which means malware on a 'the cloud!' server could read data from any other VM running on the same server. Of course, they may just be making it up, since few people actually know what the bug is right now.
And, given the rush to fix it, it would appear to be a serious problem.
On the plus side, the fix is unlikely to have much impact on normal desktop users. But could be a big performance hit on servers, particularly those running VMs (aka 'the cloud! the cloud!').
However the bug may work, someone claims to have been able to use it to read memory in one VM from another. Which means malware on a 'the cloud!' server could read data from any other VM running on the same server. Of course, they may just be making it up, since few people actually know what the bug is right now.
Join Date: Jun 2009
Location: Canada
Posts: 464
Likes: 0
Received 0 Likes
on
0 Posts
OK, the explanations are coming out now:
Cyberus Technology Blog - Meltdown
So, basically, an application running on an Intel CPU can completely break through the protection between user and kernel memory to read arbitrary kernel data. And it probably affects all of them made in the last twenty years.
No wonder they're rushing to get the fix out so fast.
And, with hindsight, the problem should have been obvious. Using the cache to leak information was the first thing I thought of when someone mentioned that Intel CPUs were reading data before checking whether it was allowed to. It just requires a little clever programming to exploit.
Cyberus Technology Blog - Meltdown
So, basically, an application running on an Intel CPU can completely break through the protection between user and kernel memory to read arbitrary kernel data. And it probably affects all of them made in the last twenty years.
No wonder they're rushing to get the fix out so fast.
And, with hindsight, the problem should have been obvious. Using the cache to leak information was the first thing I thought of when someone mentioned that Intel CPUs were reading data before checking whether it was allowed to. It just requires a little clever programming to exploit.
Join Date: Dec 2013
Location: Norfolk
Age: 67
Posts: 1
Likes: 0
Received 0 Likes
on
0 Posts
Pretty much every malware program forces an error of some sort and attacks the error handling routines, because routines that are invoked invisibly in the background leave the computer user in ignorance that anything is wrong. Typically forcing a memory stack overflow was a quick way of breaking into a program. Intercept the error handling routine with your own code and then return the computer back to its previous state and no one is any the wiser.
Having a bug at silicon level that can be exploited is a nightmare, but the real cause is programming techniques designed to push the limits in the pursuit of producing the fastest computer. Speculative read ahead caches can really speed up operations, but the majority of the data is just discarded anyway. Therein lies the problem. The operating system is accessing data that it has no right or need to access in the interest of saving a bit of processing time.
So we we suddenly all have computers that will run 20% slower. Sounds like a splendid idea to boost a flagging computer market and raise sales of new faster invulnerable machines, until the next bug is discovered.
The truth is that computers have been fast enough to do everything that most people want to do with them for the last decade or more. There are a few specialist applications that will always swallow whatever power and resources are available, but posting or viewing cat videos on the internet works just as well with a ten year old computer as a new one.
No need to panic. Just install the performance crippling updates when they are released and get in with life. Just don't bother buying a new computer.
Of course aircraft won't be affected in any way at all will they? Nothing on all these fly by wire aircraft running on Intel chips? This story is likely to turn into a very long running saga indeed.
"Open the landing gear doors, Hal."
"I'm sorry Captain, I can't do that, I cannot allow you to land. My job is to keep the aircraft flying and protect it from touching the ground."
Having a bug at silicon level that can be exploited is a nightmare, but the real cause is programming techniques designed to push the limits in the pursuit of producing the fastest computer. Speculative read ahead caches can really speed up operations, but the majority of the data is just discarded anyway. Therein lies the problem. The operating system is accessing data that it has no right or need to access in the interest of saving a bit of processing time.
So we we suddenly all have computers that will run 20% slower. Sounds like a splendid idea to boost a flagging computer market and raise sales of new faster invulnerable machines, until the next bug is discovered.
The truth is that computers have been fast enough to do everything that most people want to do with them for the last decade or more. There are a few specialist applications that will always swallow whatever power and resources are available, but posting or viewing cat videos on the internet works just as well with a ten year old computer as a new one.
No need to panic. Just install the performance crippling updates when they are released and get in with life. Just don't bother buying a new computer.
Of course aircraft won't be affected in any way at all will they? Nothing on all these fly by wire aircraft running on Intel chips? This story is likely to turn into a very long running saga indeed.
"Open the landing gear doors, Hal."
"I'm sorry Captain, I can't do that, I cannot allow you to land. My job is to keep the aircraft flying and protect it from touching the ground."
Join Date: Apr 1998
Location: Mesopotamos
Posts: 5
Likes: 0
Received 0 Likes
on
0 Posts
The problem is not isolated to just Intel chips and was identified 6 months ago by Google research scientists who immediately notified the manufacturers of these chips. Google gave these companies until 8 Jan 2018 to get their act together but the info was leaked a week early.
Of co-incidence is a number of Intel execs offloading their shares in their own company including the CEO.
From what I have read cloud providers (Microsoft and Amazon) have already addressed the issue in their infrastructure. RedHat and Apple have released a patch today and Microsoft have one available for the next patch Tuesday.
Besides the potential performance hit the event is looking to be a non-issue for those that maintain their computers.
Although the exploit allows a non-privelidged user to query the speculative CPU cache it doesn't allow control or modification of what is in there, you would have to be quite lucky to find something of interest like a password. Nonetheless, it's an exploit vector and should be dealt with by the patch.
The big thing on my mind at the moment is will there be a class action against these companies and can we get our computers/CPUs updated at no cost.
Of co-incidence is a number of Intel execs offloading their shares in their own company including the CEO.
From what I have read cloud providers (Microsoft and Amazon) have already addressed the issue in their infrastructure. RedHat and Apple have released a patch today and Microsoft have one available for the next patch Tuesday.
Besides the potential performance hit the event is looking to be a non-issue for those that maintain their computers.
Although the exploit allows a non-privelidged user to query the speculative CPU cache it doesn't allow control or modification of what is in there, you would have to be quite lucky to find something of interest like a password. Nonetheless, it's an exploit vector and should be dealt with by the patch.
The big thing on my mind at the moment is will there be a class action against these companies and can we get our computers/CPUs updated at no cost.
Join Date: Oct 2012
Location: SF Bay area, CA USA
Posts: 254
Likes: 0
Received 0 Likes
on
0 Posts
"Of co-incidence is a number of Intel execs offloading their shares in their own company including the CEO."
Anyway, is that not insider trading?
Join Date: Oct 2007
Location: Wherever I go, there I am
Age: 43
Posts: 804
Likes: 0
Received 0 Likes
on
0 Posts
Anyway, is that not insider trading?
What would be an interesting discussion, would be whether it is still insider trading if you have your broker on the phone while you are delivering the information that will send the stock south and say "sell" as soon as you're done.
Join Date: Jun 2014
Location: USA
Posts: 98
Likes: 0
Received 0 Likes
on
0 Posts
google search insider stock market trading Intel chip flaw
Would having this knowledge that is unknown to the public make Google sort of an "Insider?"
Can't Google and Facebook, etc. essentially mine as much money as they desire in the stockmarket by knowing what companies and subjects the buyers and sellers are searching before trades?
What if insider trading were freely allowed? Wouldn't buyers be much more careful about what they did with their money? Invest it to BE an insider. Wouldn't free insider trading favor employee-owned companies and reduce the gambling platform function of the current stock market.
Maybe insiders trade tips in each other's companies to help investment decisions...casually, verbally, oudoors--like in golfing foursomes?
Were alphabet agencies and/or hostile nations exploiting the Intel chip flaw to search computers?
Can't Google and Facebook, etc. essentially mine as much money as they desire in the stockmarket by knowing what companies and subjects the buyers and sellers are searching before trades?
What if insider trading were freely allowed? Wouldn't buyers be much more careful about what they did with their money? Invest it to BE an insider. Wouldn't free insider trading favor employee-owned companies and reduce the gambling platform function of the current stock market.
Maybe insiders trade tips in each other's companies to help investment decisions...casually, verbally, oudoors--like in golfing foursomes?
Were alphabet agencies and/or hostile nations exploiting the Intel chip flaw to search computers?
Last edited by dogsridewith; 5th Jan 2018 at 15:15.
Join Date: Dec 2013
Location: Norfolk
Age: 67
Posts: 1
Likes: 0
Received 0 Likes
on
0 Posts
Insider trading takes place all the time among professional investors. The trick is to have a plausible secondary source of information if challenged on the timing of your trades. Then there are the official schemes that allow certain employees a thirty minute window to buy or sell shares before an official announcement is made...
The Intel chip flaw delivered essentially random information that was held in a read ahead cache. Most unlikely that the cache would contain password data, but hoovering data from millions of computers and analysing the results can give valuable intelligence insights, especially if the target computers are in a specific group such as banking, insurance, or technology. The cached date would likely reveal speculative searches for data on particular projects or areas of interest. The main targets would be large organisations where lots of snippets can be gleaned about that businesss.
The Intel chip flaw delivered essentially random information that was held in a read ahead cache. Most unlikely that the cache would contain password data, but hoovering data from millions of computers and analysing the results can give valuable intelligence insights, especially if the target computers are in a specific group such as banking, insurance, or technology. The cached date would likely reveal speculative searches for data on particular projects or areas of interest. The main targets would be large organisations where lots of snippets can be gleaned about that businesss.
Join Date: Aug 2007
Posts: 647
Likes: 0
Received 0 Likes
on
0 Posts
Thanks to MG23
Thanks for posting those links.
The Cyberus site holds links to both the Spectre & Meltdown research papers. I urge everyone with an interest in this problem to look at the site and like me; take the trouble to read and try to understand the the research papers.
Looking at some of the prime sources of the research helps to cut through the "rubbish" being peddled in the popular press: with the best of intentions no doubt.
CAT III (former programmer)
The Cyberus site holds links to both the Spectre & Meltdown research papers. I urge everyone with an interest in this problem to look at the site and like me; take the trouble to read and try to understand the the research papers.
Looking at some of the prime sources of the research helps to cut through the "rubbish" being peddled in the popular press: with the best of intentions no doubt.
CAT III (former programmer)
Join Date: Jan 1998
Location: Where the job is!
Posts: 451
Likes: 0
Received 0 Likes
on
0 Posts
Heathrow Harry hit the nail on the head with his post on 14 April 2014 in page 2 of the thread below.
Quote: “Most users who are sticking with XP like it, they don't need anything "enhanced" and they don't want to waste all the time and money involved in "upgrading" to what are less useful products many of which are really aimed at phones, tablets etc.”
Many of these so-called upgrades are useless to users. These needless pseudo-upgrades are nothing more than a work-creation project by some nerd to demonstrate what a clever little geek he is regardless of the trouble and obstruction caused to users at large.
New features are not needed. Just ensure that existing features continue to operate reliably and securely. This means nothing more is needed than an occasional security patch!
When a weakness comes to light the obligation on the company is to correct that weakness, not to try to leverage it with some unwanted pseudo-upgrades. Note that Apple has only secured some of its products. Those who for one reason or another do not use the very latest version of OSX have apparently been abandoned.
eg When an airbag problem came to light a couple of years ago we were advised that the airbags in our 2008 model Toyota would need to be changed under a recall. That is all that happened. Toyota did not behave like some unscrupulous computer/OS supplier (Apple) and try to force us to also have the engine replaced with the turbocharged and more powerful version. We still have the atmospheric version that gives all the performance we need. Toyota did not weasel out of its obligation to owners of older vehicles and advise that it would only provide a remedy to those who owned cars made in the past couple of years. Toyota faced up to its obligation to ensure that the airbags would perform as intended when we bought the car new in 2007. Apple and other IT companies need to display the same level of integrity and customer service. Apple should provide security updates to all versions of OSX released in the previous twelve years!
Effective government competition and business standards agencies should enforce this. Also, are there any class action law suits available to help users of older versions of OSX?
Should we laugh or cry? Government pays Microsoft £5.5m to extend Windows XP support
Quote: “Most users who are sticking with XP like it, they don't need anything "enhanced" and they don't want to waste all the time and money involved in "upgrading" to what are less useful products many of which are really aimed at phones, tablets etc.”
Many of these so-called upgrades are useless to users. These needless pseudo-upgrades are nothing more than a work-creation project by some nerd to demonstrate what a clever little geek he is regardless of the trouble and obstruction caused to users at large.
New features are not needed. Just ensure that existing features continue to operate reliably and securely. This means nothing more is needed than an occasional security patch!
When a weakness comes to light the obligation on the company is to correct that weakness, not to try to leverage it with some unwanted pseudo-upgrades. Note that Apple has only secured some of its products. Those who for one reason or another do not use the very latest version of OSX have apparently been abandoned.
eg When an airbag problem came to light a couple of years ago we were advised that the airbags in our 2008 model Toyota would need to be changed under a recall. That is all that happened. Toyota did not behave like some unscrupulous computer/OS supplier (Apple) and try to force us to also have the engine replaced with the turbocharged and more powerful version. We still have the atmospheric version that gives all the performance we need. Toyota did not weasel out of its obligation to owners of older vehicles and advise that it would only provide a remedy to those who owned cars made in the past couple of years. Toyota faced up to its obligation to ensure that the airbags would perform as intended when we bought the car new in 2007. Apple and other IT companies need to display the same level of integrity and customer service. Apple should provide security updates to all versions of OSX released in the previous twelve years!
Effective government competition and business standards agencies should enforce this. Also, are there any class action law suits available to help users of older versions of OSX?
Should we laugh or cry? Government pays Microsoft £5.5m to extend Windows XP support
Join Date: Jun 2014
Location: USA
Posts: 98
Likes: 0
Received 0 Likes
on
0 Posts
Toyota Takata bankrupt airbag recall
I neglected the 12/27/2017 deadline on the big little-print postcard to sign onto the Takata bankruptcy airbag class action suit...in part because the recalled passenger side bag has been replaced. But how much is Toyota going to help with the cost in 2025 when it becomes determined that the 2007 Yaris' driver's side bags have become lethal?
Join Date: Dec 2013
Location: Norfolk
Age: 67
Posts: 1
Likes: 0
Received 0 Likes
on
0 Posts
dogsridewith
Airbags have a finite life, usually defined as ten years, before they are supposed to be replaced. I haven't noticed too many people in a rush to get the airbags replaced on older vehicles, nor has my garage advised me that such a service should be carried out.
My guess is that airbags, like most pyrotechnic devices, will operate okay considerably beyond their alleged expiry date. Any collision severe enough to set off the airbags will probably result in the vehicle being declared an insurance write off anyway due to the cost of repairs.
Full set of airbags, seat belt tensioners, replacement of seatbelts that were in use, repair or replacement of dashboard or other airbag covers and you won't be seeing any change out of £2,000 assuming the parts are available. Then there is the cost of repairs to the vehicle itself. Easier to scrap it.
Airbags have a finite life, usually defined as ten years, before they are supposed to be replaced. I haven't noticed too many people in a rush to get the airbags replaced on older vehicles, nor has my garage advised me that such a service should be carried out.
My guess is that airbags, like most pyrotechnic devices, will operate okay considerably beyond their alleged expiry date. Any collision severe enough to set off the airbags will probably result in the vehicle being declared an insurance write off anyway due to the cost of repairs.
Full set of airbags, seat belt tensioners, replacement of seatbelts that were in use, repair or replacement of dashboard or other airbag covers and you won't be seeing any change out of £2,000 assuming the parts are available. Then there is the cost of repairs to the vehicle itself. Easier to scrap it.