Major security flaw found in Intel processors

[kahless]

I'm getting that looking for info,,, and surprised to see old kernels in use..

It was kernel 4 that had major changes,, and a new release schedule.
This may indeed affect the Server side if they are all running antiques.

They are not completely old when bug fixes and security updates are back ported. You are just missing out on improvements and compatibility with newer packages.

[devil21]

It was revealed during the Snowden leaks, iirc, that pretty much all tech had been compromised with backdoors at the manufacturer level.

eta:

http://www.ronpaulforums.com/showthr...turer-s-drives

Regardless of what is claimed by the articles, I think it's naive to think it's just a few targeted systems. They didn't call it the "Total Information Awareness" program for nuthin'. This is also the sort of stuff that limited the Snowden releases to around 5% of his total haul. EVERYTHING is compromised. All of it.

Pardon me if I don't run out to install whatever the media and Intel (agencies) blare at me to install to fix "bugs" now. The same ones that have hidden the "flaws" are now offering the solution? Eh, a bit too Hegelian for my liking.

[pcosmar]

It was revealed during the Snowden leaks, iirc, that pretty have all tech had been compromised with backdoors at the manufacturer level.

Pardon me if I don't run out to install whatever the media and Intel (agencies) blare at me to install to fix "bugs" now.

The Open Source,, and Digital Rights communities have been working on just those issues.
Hardware back doors are closed when found.. And this had been known about for some time,and vault7 revealed more.

The fix for these problems is available,, and is being scrutinized by many eyes,,, some of them more paranoid than you.

[pcosmar]

They are not completely old when bug fixes and security updates are back ported. You are just missing out on improvements and compatibility with newer packages.

Not really..
You are running an old (stable) but antique Kernel thet has been patch and patched for 10 or 12 years. It was developed when the internet was running "98".
It was stable before 64bit chips were available to the public. and before multi core processors.

I really don't understand the industry insistence on maintaining outdated kernels.
But it does likely explain some vulnerabilities.

[devil21]

The Open Source,, and Digital Rights communities have been working on just those issues.
Hardware back doors are closed when found.. And this had been known about for some time,and vault7 revealed more.

The fix for these problems is available,, and is being scrutinized by many eyes,,, some of them more paranoid than you.

That assumes these same organizations haven't been infiltrated just like every other organization of importance has. I don't have much faith in that assumption. ymmv

[pcosmar]

ymmv

You are quite welcome to code your own OS from Source Code. That is the beauty and freedom of Open Source.
or look into the several distributions made by some one else.. There are un-hackable (hard code,read only),, high security distros for just that purpose.

it is ever evolving

My distro,, my favorite. is the work of a guy in Texas and a bunch of folk in a community of users.
https://www.pclinuxos.com/
https://en.wikipedia.org/wiki/PCLinuxOS
https://distrowatch.com/table.php?di...tion=pclinuxos

[kahless]

Not really..
You are running an old (stable) but antique Kernel thet has been patch and patched for 10 or 12 years. It was developed when the internet was running "98".
It was stable before 64bit chips were available to the public. and before multi core processors.

I really don't understand the industry insistence on maintaining outdated kernels.
But it does likely explain some vulnerabilities.

Not just I am running, millions of enterprise servers and data centers throughout the world. Centos/RHEL is everywhere. They are less vulnerable since they are being actively maintained for quite a long time. A business that provides 24x7 up time is more likely to use a stable kernel with security vulnerabilities and patches back ported rather than test the latest kernel on contract customers.

You want to support servers that required 24x7 up time with unproven kernels then go right ahead and see how long you customers stay with you. No one loves giving credit due to down time.

Again you are comparing home users to business.

btw - most servers I am supporting have multiple core 64 bit and more than 8gb's a RAM so we are not talking about the original kernel. For something like 10 years now.

[devil21]

You are quite welcome to code your own OS from Source Code. That is the beauty and freedom of Open Source.
or look into the several distributions made by some one else.. There are un-hackable (hard code,read only),, high security distros for just that purpose.

it is ever evolving

My distro,, my favorite. is the work of a guy in Texas and a bunch of folk in a community of users.
https://www.pclinuxos.com/
https://en.wikipedia.org/wiki/PCLinuxOS
https://distrowatch.com/table.php?di...tion=pclinuxos

I don't have much desire to code anything. I just know that if the MSM (controlled by same entities that mandated the backdoors in the first place) is blaring on about some emergency and urging you to do something in response to it, it's generally not for a reason that is beneficial to you.

[pcosmar]

btw - most servers I am supporting have multiple core 64 bit and more than 8gb's a RAM so we are not talking about the original kernel. For something like 10 years now.

The linux kernel 4+ is not unstable nor cutting edge,

And yes, The 2.6 kernel was was new, 2.4 was old and known. and Win xp was new.
People were still running Windows servers,, (some still do) despite being complete crap.

I am wondering why,, especially in critical environments,, people insist on running outdated and substandard hardware and software..

it makes little sense to me. and I suspect it bites ass.

[pcosmar]

I don't have much desire to code anything. I just know that if the MSM (controlled by same entities that mandated the backdoors in the first place) is blaring on about some emergency and urging you to do something in response to it, it's generally not for a reason that is beneficial to you.

Ah,,
Well I found linux by my own research long ago. Not the MSM or marketing,,, just other users online.
I got tired of mainstream crap.

I don't have to agree to any dumb EULA
I don't have malware, or viruses,,
I fear no E-mail attachment,
I am invisible, and hard to hack. (nothing being impossible)

I like the system they built. and it gives me TOTAL control of my system.
ymmv

[kahless]

The linux kernel 4+ is not unstable nor cutting edge,

And yes, The 2.6 kernel was was new, 2.4 was old and known. and Win xp was new.
People were still running Windows servers,, (some still do) despite being complete crap.

I am wondering why,, especially in critical environments,, people insist on running outdated and substandard hardware and software..

it makes little sense to me. and I suspect it bites ass.

Cost and stability. A bit of sweat spot with the bugs mostly ironed out and security fixes and patches back ported. Why risk that with an unproven kernel.

It does in a sense bites ass with workstations sometimes if you buy new hardware. On the other hand trying to install newer kernels on older hardware sucks to due to performance issues.

2.6.x is still maintained with migrations and newer installations to 3.1.x kernel. But not so much 4.x since no one wants to test the latest and greatest in a production environment but it is not far away.

For home with newer equipment no problem with newer kernel which more likely I would need if my hardware is bleeding edge and I need drivers to support it. I am not going to render older hardware useless with a newer kernel due to performance issues. The longer they support the older kernel's which make old systems fly the better. In many cases there really is no reason to upgrade your hardware or UI if the system is serving your needs and the OS is providing security patches.

[Swordsmyth]

Intel CEO In Jeopardy For Selling Stock After Learning Of "Staggering" Flaw

https://www.zerohedge.com/news/2018-01-08/it-doesnt-look-good-intel-ceo-jeopardy-selling-stock-after-learning-staggering-flaw

[Swordsmyth]

It gets worse: Microsoft’s Spectre-fixer wrecks some AMD PCs

https://www.theregister.co.uk/2018/01/08/microsofts_spectre_fixer_bricks_some_amd_powered_p cs/

[timosman]

Intel CEO In Jeopardy For Selling Stock After Learning Of "Staggering" Flaw

https://www.zerohedge.com/news/2018-01-08/it-doesnt-look-good-intel-ceo-jeopardy-selling-stock-after-learning-staggering-flaw

How dumb is this dude?

[Swordsmyth]

How dumb is this dude?

I think arrogance is more to the point.

[timosman]

I think arrogance is more to the point.

You are right. He might know SEC is really toothless.

[devil21]

It gets worse: Microsoft’s Spectre-fixer wrecks some AMD PCs

https://www.theregister.co.uk/2018/01/08/microsofts_spectre_fixer_bricks_some_amd_powered_p cs/

Well, there's a quick example of why I don't jump all over whatever "fix" is being blared by the media. Forcing people to buy new hardware (likely Intel, funny that) that they wouldn't otherwise have needed. I recall reading how a recent Windows update bricked people's old dot matrix printers, forcing new printer purchases. Eventually, hopefully, people will realize that the MEDIA IS NOT THEIR FRIEND and these tech companies are most definitely not either. To the heads of these companies we are nothing but consuming cattle to be herded in whatever direction is best for their bottom line and the completion of their full control agenda. That is IT.

How dumb is this dude?

You know damn well nothing will happen to him. Nothing happened to the MGM execs and Board that dumped most of their stock before the LV shooting either. Even the charade of a rule of law has been dropped. It's wild west, everyone for themselves, before the run for the exit doors.

[timosman]

You know damn well nothing will happen to him. Nothing happened to the MGM execs and Board that dumped most of their stock before the LV shooting either. Even the charade of a rule of law has been dropped. It's wild west, everyone for themselves, before the run for the exit doors.

This is depressing.

[pcosmar]

Well, there's a quick example of why I don't jump all over whatever "fix" is being blared by the media. .

Actually,, That is exactly why I don't use windoze.

[kahless]

As expected.

Microsoft admits that the Meltdown/Spectre patches will hit Windows Server performance
https://www.geekwire.com/2018/micros...r-performance/

Microsoft acknowledged Tuesday morning that Windows Server is now slower for certain types of applications thanks to the patches.
...
Myerson also noted that Windows PC users with recently purchased systems probably won’t notice much of a performance impact from the patches pushed out to Windows users last week, but people with older Windows 10 hardware, and people with Windows 8 or Windows 7 machines, will likely see a performance hit.

Microsoft says older Windows versions will face greatest performance hits after Meltdown, Spectre patches.
http://www.zdnet.com/article/microso...rmance-issues/

[kahless]

Same for Linux

IBM melts down fixing Meltdown as processes and patches stutter - RHEL servers croaking
http://www.theregister.co.uk/2018/01/09/ibm_melts_down/

The documents also say some Red Hat Enterprise Linux servers aren’t rebooting after patching, which is of more concern given that Red Hat developed its own Meltdown/Spectre patches.

Red Hat Warned Partners Of Computing, Cloud Performance Loss Stemming From Protecting Against Chip Vulnerabilities
http://www.crn.com/news/security/300...rabilities.htm

Solution providers are expecting some systems to be degraded by up to 30 percent

Some with the latest kernel having boot problems
http://www.zdnet.com/article/the-lin...tle-continues/

Work is continuing, but the latest update of the stable Linux kernel, 4.14.2, has the current patches. Some people may experience boot problems with this release, but 4.14.13 will be out in a few days.

[pcosmar]

As expected.

Microsoft admits that the Meltdown/Spectre patches will hit Windows Server performance
https://www.geekwire.com/2018/micros...r-performance/


Microsoft says older Windows versions will face greatest performance hits after Meltdown, Spectre patches.
http://www.zdnet.com/article/microso...rmance-issues/

And I was just reading that RedHat published their bench tests,,
19% reduction in performance,, worst case. but most a 2 to 8% hit.

I suspect they are still massaging it.

windoze likes to throw out nasty patches. it's like a history or a habit.

[devil21]

^^^^
What Intel, MS, etc is actually saying is go buy new crap that most DEFINITELY has all of the backdoors in it.

[pcosmar]

Work is continuing, but the latest update of the stable Linux kernel, 4.14.2, has the current patches. Some people may experience boot problems with this release, but 4.14.13 will be out in a few days.

I'm running 4.14.8,, and have no issues. It had some patches.. 4 15rc is being tested,, and it should have patches,, it is being tested.

Looking forward to it's release as stable later this month.

[Swordsmyth]

Intel is having reboot issues with its Spectre-Meltdown patches

“We have received reports from a few customers of higher system reboots after applying firmware updates. Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center,” Shenoy wrote.
He added, “If this requires a revised firmware update from Intel, we will distribute that update through the normal channels.”

More at: https://finance.yahoo.com/news/intel...221114762.html

[ClaytonB]

I did a more detailed write-up on the Meltdown/Spectre attacks here.

tl;dr: This entire class of attacks can be mooted by restricting user-space software from having access to high-precision timers (timestamp-counters) or slowing the timers (obscuring microarchitectural timing) or fuzzing the timers (same thing, different method). If you are running user software in a virtual container, you can defend against all these attacks by changing one setting (timestamp-counter scaling) without any kernel update or CPU patch. You won't find this fact mentioned anywhere. Fixes that require "re-architecting CPUs" are nonsense-on-stilts.

[ClaytonB]

Also, a quick note about "backdoors". If you are an ordinary PC user, you should never operate under the assumption that "my computer is secure" because... it isn't. These latest attacks have nothing to do with that. If the NSA or somebody at that scale wants inside your PC, they're in, just like that and they don't have to use academic timing attacks to do it. The best overall description is "push-button access". We know this is the case thanks to the Snowden disclosures, among other whistleblowers.

[Swordsmyth]

Intel admits Spectre patch problems also affect newer Core chips

Intel has revealed that even its newer CPUs are affected by the frequent reboot problems brought about by the Spectre/Meltdown patches. The chipmaker previously said that the reboot issue affects systems running Broadwell and Haswell. Now that it has managed to reproduce the problem internally in an effort to fix it, the company found that a similar behavior can occur in platforms powered by Skylake and Kaby Lake, which are newer than Haswell and Broadwell. Ivy Bridge- and Sandy Bridge-based systems, both older cores, are also susceptible to the bug. Thankfully, Intel VP Navin Shenoy said that they're close to identifying the problem's root issue. "In parallel," he added, "we will be providing beta microcode to vendors for validation by next week."

More at: https://finance.yahoo.com/news/intel...075000640.html

[pcosmar]

@Swordsmyth

The reboot issues are not Intel. The Chip Flaw is Intel,, but the reboot problem is Windize. and the windoze patches.

No issue here,,, nor with linux in general. so that issue is unique to that OS.

[kahless]

Red Hat Will Revert Spectre Patches After Receiving Reports of Boot Issues
https://www.bleepingcomputer.com/new...f-boot-issues/

Red Hat is releasing updates that are reverting previous patches for the Spectre vulnerability (Variant 2, aka CVE-2017-5715) after customers complained that some systems were failing to boot.

"Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot," the company said yesterday.