Slashdot Mirror
When F00F Bug Hit 20 Years Ago, Intel Reacted the Same Way (itwire.com)
troublemaker_23 writes: A little more than 20 years ago, Intel faced a problem with its processors, though it was not as big an issue as compared to the speculative execution bugs that were revealed this week. The 1997 bug, which came to be known as the F00F bug, allowed a malicious person to freeze up Pentium MMX and "classic" Pentium computers. Any Intel Pentium/Pentium MMX could be remotely and anonymously caused to hang, merely by sending it the byte sequence "F0 0F C7 C8". At the time, Intel said it learnt about the bug on 7 November 1997, but a report said that at least two people had indicated on an Intel newsgroup that the company knew about it earlier before. The processor firm confirmed the existence on 10 November. But, says veteran Linux sysadmin Rick Moen, the company's reaction to that bug was quite similar to the way it has reacted to this week's disclosures.
"Intel has a long history of trying to dissemble and misdirect their way out of paying for grave CPU flaws," Moen said in a post to Linux Users of Victoria mailing list. "Remember the 'Pentium Processor Invalid Instruction Erratum' of 1997, exposing all Intel Pentium and Pentium MMX CPUs to remote security attack, stopping them in their tracks if they could be induced to run processory instruction 'F0 0F C7 C8'? "No, of course you don't. That's why Intel gave it the mind-numbingly boring official name 'Pentium Processor Invalid Instruction Erratum', hoping to replace its popular names 'F00F bug' and 'Halt-and-Catch Fire bug'."
"Intel has a long history of trying to dissemble and misdirect their way out of paying for grave CPU flaws," Moen said in a post to Linux Users of Victoria mailing list. "Remember the 'Pentium Processor Invalid Instruction Erratum' of 1997, exposing all Intel Pentium and Pentium MMX CPUs to remote security attack, stopping them in their tracks if they could be induced to run processory instruction 'F0 0F C7 C8'? "No, of course you don't. That's why Intel gave it the mind-numbingly boring official name 'Pentium Processor Invalid Instruction Erratum', hoping to replace its popular names 'F00F bug' and 'Halt-and-Catch Fire bug'."
This isn't the 0.9998356st time they've done this?
What was Intel supposed to call the bug? "The Pentium sucks and can be remotely disabled erratum?"
Continuing:
Moen, who is based in California, said that at the time, Intel's "judo-move response" was to create an information page claiming it dealt with the bug by linking to each of the various x86 OS vendors' bug-fix pages.
Again, what alternative did Intel have? It couldn't patch existing chips so it directed customers to patches provided by OS vendors.
I'm not sure I understand the point of this article.
What the fuck is this goofball trying to say? That he's too stupid to know what words like "erratum" and sentence fragments like "invalid instruction" mean?
Technical terms bore me! I'm a great computer whiz!
...to the 0xDEADBEEF bug?
Slashdot, fix the reply notifications... You won't get away with it...
So, I guess they are correct to respond in this way.
The "point" is that Intel, Microsoft, and many large 'technical' corporations are apparently more concerned with marketing than technical prowess. Consider that Intel spends more on marketing each year than AMDs entire R&D budget.
Maybe if they spent half the time, energy and money on technical stuff as they do on slimy marketing, this issue wouldn't have happened in the first place.
I'm not sure I understand the point of this article.
I agree. This article is not news. Not because it is about something that happened 20 years ago, but because it is a rehash of standard PR spin and maneuvering:
This is what companies, organizations, political parties, and countries do.
I am protected by APKs host file generation tool, so I am safe from these bugs, right?
I'm pissed at them too - where is my slashdot article?
'merely by sending it the byte sequence "F0 0F C7 C8".' Ã am pretty sure that it wasn't enough to "send" the byte sequence. That assumes that you could trigger the bug remotely. Instead you would need to execute that code sequence, so you need permissions to install software. Still bad, but not a huge deal 20 years ago, when computers with Intel CPUs were almost always single-user machines.
In this case the processor might actually do what the manual says it should do.
If so, then unfortunately, the manual describes a processor operation that has an exploit.
So, if you speculatively execute an instruction sequence that reads a bit of protected memory and then affects cache in a measurable way according to that answer, is that outside the manual?
He doesn't understand that those papers are written and used by engineers and other technical people to solve problems in the real world, he would much prefer they responded with snarky tweets for people who endlessly piss and moan about things they don't understand.
Meltdown has been around for 23 years, and we're only discovering it now. What else is lurking in the hardware that could make it vulnerable? It seems like this is only starting to be explored as an attack surface. This is probably the tip of the iceberg. The Intel ME has serious vulnerabilities. Intel has gone to great lengths to obfuscate the ME, and has given it almost absolute control over every aspect of the system. These systems are probably far more vulnerable than we are presently aware of.
I don't trust AMD or ARM, either. It's true that AMD isn't affected by Meltdown, and therefore doesn't need to suffer the performance hit of the KPTI workaround. However, AMD does have an equivalent of the ME.
Intel is doing a terrible job of addressing Meltdown and Spectre. However, I don't think Intel's failures should drive us to trust other manufacturers like AMD. A healthy dose of cynicism is needed, that the hardware in our devices is probably far more vulnerable than we'd like to think, has plenty of secretive functionality built into it, and may well be actively working against us in some cases (like DRM or phoning home).
I don't see how marketing plays into it - are you saying the presence of any errata means they are marketing-focused rather than engineering-focused? What exactly is Intel guilty of in the article? Using less provocative titles for their chip bugs than what the media came up with?
I am a proud citizen of the fruitful and glorious kingdom of the Netherlands; soon to be holders and protectors of a global hegemony the likes never seen before. Our mighty ships, our mighty crews, they will set fire to the lands beyond. A fire no mortal can put out. Such is the power of the powerful nationstate "Holland": Saviours of the Just, protectors of the Golden Child.
Is this a bug in Intel hardware or processor design?
No. This is not a bug or a flaw in Intel products. These new exploits leverage data about the proper operation of processing techniques common to modern computing platforms, potentially compromising security even though a system is operating exactly as it is designed to. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
The Meltdown bug is much much worse. It essentially means you cannot use Intel in the Cloud. This is why their stock lost $11 billion so far and why the CEO sold all his stock earlier.
I love how everyone seems to be vilifying Intel when AMD and ARM have the same issues.
The Pentium FDIV bug:
No sane way to workaround at all, and no way to work around it in real mode operating systems, which mattered a lot at the time. Intel ultimately forced to do a recall because they could not provide accurate results for applications. Three models (60, 66, and 90mhz) exposed and caught *relatively* early and volumes were manageable.
F00F bug:
Feasible OS workarounds for protected mode operating systems with no performance impact. Real mode operating systems still mattered, but if you were running real mode there were tons of other ways to freeze the whole system so F00F wasn't that interesting in real mode anyway. Workarounds looked *ugly*, but they were cheap. Intel screwed up, but software workaround was pretty appropriate.
Meltdown:
There are workarounds, but could be very expensive. At the same time, they have two decades of exposed products and much higher volumes than they had before. So the scope of a recall would be way more massive. The workaround results in reduced performance, not incorrect results. If anything were to happen, I'd bet some sort of small rebate or credit for the performance loss, and telling the world to just deal with the performance impact if they care about security.
XML is like violence. If it doesn't solve the problem, use more.
The monkey chase the intel
The monkey thought t`was all in fun
FOOF goes the intel
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
"Maybe if they spent half the time, energy and money on technical stuff as they do on slimy marketing, this issue wouldn't have happened in the first place"
You apparently have no goddamned clue about technical stuff. One of the flaws itself lies directly in how Out Of Order Execution is SUPPOSED to work.
Try taking hardware design classes before opening your mouth on a subject you clearly do not know!
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Nope.
Despite what that retard APK will claim his work doesn't stop inbound connections.
Also the outbound destination of traffic from your machine from an attack needs to already be known and must do a host name lookup.
Furthermore it is trivial for malware to work around his efforts because it is physically impossible for him to enumerate every possible hostname in a domain in a hosts file. So all that is needed is for malware, java script, or anything to randomly generate a valid hostname and attach the domain.
Then there is the fact that even with all that you will have to manually run and update the damn thing.
This is why any security advice from Alexander Peter Kowalski should be ignored for the provable BS it is.
Basically treat his work as you would an AV scanner that can only detect a virius based off of the file name it uses and realize that is effectively what his work does in an overly complex, slow, and bloated manner.
Both AMD and Intel routinely put out addendums detailing bugs on their CPUs and chipsets. These are normally addressed at BIOS or OS level.
This is different though. Meltdown and Spectre are a result of how branch prediction works on pretty much all modern CPUs and are difficult - if not impossible - to shield from on existing hardware.
" .. but a report said that at least two people had indicated on an Intel newsgroup that the company knew about it earlier before[SIC]..."
But the company is not a monolith, with a single brain that is aware of all the reports from all the employees. Some parts of the company knew about the bug earlier. Other parts of the company who should have acted to fix it and disclose it did not do the right thing.
If we blame wholesale "Intel" then Intel will close ranks and perps will enjoy some amount of protection.
The same thing happens when we generally blame "Police Brutality" or "Islamic terrorism". If we choose terms that allows the organization to blame a few bad apples and maintain some dignity, and we improve the general reaction to make sure the blamed ones are the real "bad apples" and not some scapegoat, over the long run things would improve. For example we should say something like, "Sunni Terrorism" that will allow Shias not feel blamed, or even better "Wahhabi terrorism" to allow other Sunnis to distance themselves from the perps.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Again, what alternative did Intel have? It couldn't patch existing chips so it directed customers to patches provided by OS vendors.
How about not lie about and own up to their fuck up?
I have a friend who was doing his Masters at the time which involved neural nets and numerical analysis in some way (details escape me). He was getting results that didn't line up with his initial back-of-the-envelope theoretical hypothesis, but he was confident he was right.
He ended up having to "prove" to Intel that he was doing things correctly and that their chip was doing math wrong, and before he got a replacement CPU he had to sign an NDA. After doing all of that over the course of weeks/months he finally got a new chip--and then a week or two after that Intel publicly admitted to the fuck up and replaced everyone's chip for free.
Intel wasted a lot of his time (and probably many other people's as well) when they (probably) knew about it.
Spoiler for clueless, please!
The "point" is that Intel, Microsoft, and many large 'technical' corporations are apparently more concerned with marketing than technical prowess. Consider that Intel spends more on marketing each year than AMDs entire R&D budget.
Maybe if they spent half the time, energy and money on technical stuff as they do on slimy marketing, this issue wouldn't have happened in the first place.
Hands up those of you here who have ever written completely 100% bug-free code.
Thank you. The rest of you can stop criticising now and go home.
See subject: If malware makers try via browsers by hosts blocks of their 3rd party malscript served by host-domain/subdomains (99% are) - the most effiicient way WAY before NoScript does parsing for script src tags in HTML ala "could allow applications, malware & JavaScript running in web browsers to obtain information they should not be allowed to access" http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability// ) as malicious scripters appear & sources my program uses (or others you find in say security site articles) obtain them to block them.
* HOWEVER - locally? No.
(It's a problem that OS makers are patching for disk-intensive apps (databases, VM's (doing context switching) & probably defraggers + backup programs that talk w/ kernelmode I/O drivers I'd guess)
APK
P.S.=> My program's output result natively protects vs. MORE vs. any other "so-called 'solution'" does for LESS doing far more (& speeds you up vs. slowing you down (like security issue ridden remote DNS or Antivirus)) - but it can't protect vs. EVERYTHING (nothing can)... apk
See subject & this is why hosts would work (more efficiently vs. NoScript + faster) https://hardware.slashdot.org/comments.pl?sid=11573413&cid=55868787/ & you're the bs artist "ne'er-do-well" do-nothing unidentifiable TRUE coward that hasn't done better work than mine yourself (fact).
* Additionally - I don't NEED to block "every domain possible" - only the ones involved serving up the malscript stupid (as I've shown hosts work vs. dozens of botnets here that use host names (99% do) & TONS of other threats as well).
APK
P.S.=> Now, above ALL else - Have YOU done a better job? No... but, you're MORE THAN WELCOME to prove otherwise, big-talker (never will happen)...apk
I've tried this exploit code on Win10 with full updates in FF+Chrome+IE, and on LineageOS 14.1-something on FF+Chrome+stock browser. All just give the output "0".
"When information is power, privacy is freedom" - Jah-Wren Ryel
Does your friend know anything about technology, how complex it is, how easy it is to get something wrong, how hard it is to track the issue down, and how many times a customer claims their problem is the vendors fault when it is really a bug in the clients implementation? Because anyone who is incensed over this, including yourself, certainly doesn't.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
For real. This has shown that these code monkeys know zero about computer architecture. This isn't a flaw in an implementation, this is a flaw in a fundamental principle of CPU design.
I'm worried about this 'AMD is safe' bullshit that's been floating around. No, the Meltdown paper specifically says AMD has the same problem - out of order execution of instructions accessing protected memory - they just couldn't get the side channel to work and suggest it may just need some optimization. That doesn't mean AMD is immune, it just means they haven't gotten it working - yet.
Meltdown and Spectre depend on the CPU working as intended, and that's the problem. As the papers point out, everyone has long been focused on CPU performance but we may need to accept giving up some of that performance for more security.
Consider that Intel spends more on marketing each year than AMDs entire R&D budget.
That's because Intel is a FAR larger company than AMD. Intel spends more money on marketing than AMDs entire REVENUE. AMD had revenues last year around $4.27 billion and Intel revenues were around $59.4 billion. The companies aren't even close to being peers. AMD spends a similar percentage of revenues on marketing but they simply aren't anywhere near as big. That doesn't mean AMD cares less about marketing - it just means they don't have as much cash to spend.
The "point" is that Intel, Microsoft, and many large 'technical' corporations are apparently more concerned with marketing than technical prowess
Software companies are different animals than hardware manufacturers. Every software company on the planet spends more on sales and marketing than on engineering and R&D. That's not a commentary on the relative important of those functions but rather just what they cost to perform those activities. Selling software is less able to achieve economies of scale in most cases. Look at the financial statements of Microsoft, Apple, Google, Oracle, and you'll see that around 10-30% of their costs are to actually design the products. SG&A (Sales and Marketing) typically is about double that amount or more. Intel has a lot more R&D costs because they have a lot of very expensive plants and tangible equipment to fund. Software R&D doesn't generally require building expensive hardware prototypes and research into novel applications of physics.
... This article is from some corporate shill trying to capitalize or misdirect on this chipgate? Because last I've heard, AMD and ARM both suffer from the same problem, but only Intel is being dissed in this. So, I can only see this as being submitted by an ignorant fool or a corporate shill trying to misdirect attentions and get all the focus on Intel since they were the only ones to disclose it (and forcing ARMs hand... AMD was still pretending it's not affected by this issue but we all know they are, it's a fact).
Sorry retard Alexander Peter Kowalski I and others have proved you wrong countless time.
You can't defend your work against logic, reason, and mathematics.
You make bold false claims and then offer no support.
I have nothing to prove as I don't make outrageous claims about my work but as you make your silly dumb claims you do need to prove and back them up yet you can't.
Also just because you can't understand things like simple math, logic, or any number of things doesn't make them untrue.
I see you have already declared you won without being able to refute a single fact I presented.
You can't prove you have blocked every possible domain but then I never made that claim but did correctly claim you have to block ever possible host name in a domain which is serving malware to be secure which you can't.
This further demonstrates that you are an illiterate fool in addition to your piss poor writing ability and inability to form a complete thought.
You really do have a weak and feeble mind.
This also ignores the fact that your work doesn't actually prevent anything like other solutions actually do.
Also when are you going to stop being a fucking racist?
If you make a living selling really complex stuff, then saying "aw shucks, we did not understand the technology we are producing" is not the way to enhance your sales. Meltdown and Spectre are the result a pile of very basic design errors all joined up.
Sure it can take a team of people with expensive, specialised equipment to debug a CPU, but have a look at Intel's turnover before you come out with this twaddle. If someone says "it looks like there is a problem" then they should be in line for bug bounties, like from software people.
It is our job as /. contributors, geeks and nerds to make the market heap this on Intel till it really hurts, or it will go on happening. Its not like Joe Sixpack call tell fake news when he laps it up.
Sent from my ASR33 using ASCII
"Still bad, but not a huge deal 20 years ago, when computers with Intel CPUs were almost always single-user machines."
20 years ago was 1998, not 1968, and Linux and WinNT were both online as servers back then so your comment is nonsense. Are you a Millenial by any chance? If you are then an FYI - the modern world didn't start when you were born.
The "point" is that Intel, Microsoft, and many large 'technical' corporations are apparently more concerned with marketing than technical prowess. Consider that Intel spends more on marketing each year than AMDs entire R&D budget.
Maybe if they spent half the time, energy and money on technical stuff as they do on slimy marketing, this issue wouldn't have happened in the first place.
Sure, they spend more in marketing than AMD spends on R&D, but what really begs the question is: is Intel R&D expenditure orders of magnitude larger than AMD, given the difference in dimension of both companies (like "from mice to elephant" different)?
Well, turns out it is... actually, Intel out-spends (in R&D) everyone in the chip industry... so much so that the second in R&D spending is Qualcomm and it spends less than half of what Intel spends (or rather, Qualcomm spends just little over 1/3 of what Intel spends on R&D, and that's the gap between the 1st in R&D expenditure - Intel - and the 2nd - Qualcomm).
So all you've done was try to pass a fallacy as argument, good for you *clap* *clap*.
How many CPU architectures did Intel release in the past 20 years WITHOUT security defects?
How many did you release?
Give me a break and come back when you run a 5000+ headcount development and engineering organization for two decades.
You should learn to read. What I wrote has nothing to do with what you are prattling on about. OP was complaining that Intel didn't just immediately take his "friends" word for it that he had identified a problem in their hardware. You are complaining about how things are being handled after they did the due diligence he thinks his "friend" shouldn't have had to wait for.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
For real. This has shown that these code monkeys know zero about computer architecture. This isn't a flaw in an implementation, this is a flaw in a fundamental principle of CPU design.
I would like to issue you two challenges.
1) design a CPU from scratch that is even 1/100th as powerful as a current gen CPU.
2) Starting with x86 PIII (where this issue first existed IIRC) design a multicore part even half as good as a modern CPU.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Not seeing the point of the article is a problem.
REALLY?
Not all companies automatically do the worst thing possible. The fact that intel has a history of twisting and shouting to avoid accepting responsibility for a problem (including trying to minimize it), and avoid replacing faulty products, is a problem. It's news worthy.
Even if it's just for consumers to look at and say "well hey, maybe I should give AMD a chance". But all the better if this is fuel for a class action lawsuit, or larger market forces at work. Maybe this spurs a big player like Amazon or Google to think twice about how much they are willing to bet on Intel hardware.
This cynical "Uh well everybody does it" attitude is false, useless, and if anything encourages apathy.
merely by sending it the byte sequence "F0 0F C7 C8"
Sending, really? What, down a modem, via email, on a webpage?
No, you have to get the computer to execute that byte sequence. That involves a bit more than "sending."
systemd is Roko's Basilisk.
This is what's is objectionable about Intel's behavior
"He ended up having to "prove" to Intel that he was doing things correctly and that their chip was doing math wrong, and before he got a replacement CPU he had to sign an NDA. After doing all of that over the course of weeks/months he finally got a new chip--and then a week or two after that Intel publicly admitted to the fuck up and replaced everyone's chip for free"
Having to prove he was doing things right is perfectly fine but making a customer who has just given you a big heads up on a huge fuck-up on your part wait months? And gagging him with an NDA?
That's assholery.
Pain is merely failure leaving the body
I agree. That's certainly how they'd handle a recall in a "worst case" scenario. They're not going to offer to give you brand new CPUs in exchange for obsolete ones over 5 years old. Heck, they can argue that if you used it that long, you fully got your money's worth out of it, regardless of the current issue.
It'll be interesting to see how this plays out. But I wouldn't be surprised if we wind up with a "mixed" situation, where server class Xeon processors, primarily used in Enterprise cloud environments, qualify for replacement under some kind of exchange program -- while they conclude software patches are sufficient for desktop processors.
Who knows? Maybe this will prompt some of Intel's customers to move in other directions and super real innovation in CPU design and development. Everything that's happened to CPUs in the past 20 years has been a serious of mundane, incremental improvements. Intel has had a stranglehold on the industry and as a result o giant innovations have occurred. It would be interesting to see larger companies like Apple or HP fab their own CPUs. OTOH, its probably convenient for them to be able to blame it on Intel and get discounts on future purchases.
Suppose you were an idiot. And suppose you were a member of congress. But then I repeat myself. -- Mark Twain
For real. This has shown that these code monkeys know zero about computer architecture. This isn't a flaw in an implementation, this is a flaw in a fundamental principle of CPU design.
You are absolutely correct here and I completely agree.
I'm worried about this 'AMD is safe' bullshit that's been floating around. No, the Meltdown paper specifically says AMD has the same problem - out of order execution of instructions accessing protected memory - they just couldn't get the side channel to work and suggest it may just need some optimization. That doesn't mean AMD is immune, it just means they haven't gotten it working - yet.
You come close here, but still miss the mark. With Meltdown, there are two components at play: out-of-order execution and observable side-effects in cache. Both Intel and AMD implement out-of-order execution. As you point out, it is a fundamental concept in modern CPU design. The problem is not that out-of-order execution takes place. The problem is that some implementations (namely Intel, and one ARM design) fail to properly protect against access to the discarded data. This could be protected against in the CPU by properly clearing the cache of results from instructions that end up being invalidated or by delaying access to those areas until authorization has been verified. I believe that AMD does the latter. The patches that have been discussed on LKML (the kernel page table isolation, or KPTI) sort of forces the CPU to do the first thing (because putting the kernel memory in a different process/address space forces a context switch, which will wipe caches, registers, etc.). So, AMD's claim that their design is immune to Meltdown is completely believable based on the facts to date. That does not mean that another vulnerability will not be found. It just means that Meltdown specifically exploits a design implementation flaw.
In fact, an AMD engineer submitted a patch to the KPTI patch set that disables KPTI for AMD CPUs. I find it extremely doubtful that, given all the publicity and scrutiny with these vulnerabilities, that AMD would come out on LKML and make a public statement of "nah, this does not apply to us" unless that were actually the case. If they are making that up, then they are committing PR suicide.
Meltdown and Spectre depend on the CPU working as intended, and that's the problem. As the papers point out, everyone has long been focused on CPU performance but we may need to accept giving up some of that performance for more security.
This absolutely correct insofar as Spectre is concerned, but not so much for Metldown.
It looks like we are even at this point :)
I thought they fixed the FDIV bug before the P90's were released or am I just getting too old?
I don't know if I can do those things. I do know that I can tell the truth about something I did and I offer to fix problems that I cause without trying to BS my way around the problem. It isn't about building a CPU - it''s about honesty and morals.
See subject: Reality in hosts stalling a botnet (as I had before this on /. vs. 100's of botnets/malwares) https://tech.slashdot.org/comments.pl?sid=11559309&cid=55857689/ BLOWS YOU AWAY along w/ your mere erroneous "theories" that I PROVED FAULTY Arth1 in the link that post above leads to no less!
* ... & that's all the 'support' I need in reality, truth + fact vs. YOUR FAULTY ASSUMPTIONS Arth1 (still 'stinging' I see, lol).
APK
P.S.=> I state nothing but fact (that utterly crushes a do-nothing "ne'er-do-well" mere TALKER in yourself vs. myself actually successfully doing the job w/ many others SUPPORTING ME (partial sample only / ) in security + web pros in these next 2 links https://yro.slashdot.org/comments.pl?sid=11532533&cid=55815881/ & https://yro.slashdot.org/comments.pl?sid=11532533&cid=55815915/ as well as /.ers quoted praising my work too https://developers.slashdot.org/comments.pl?sid=11549257&cid=55839415/ vs. YOUR "jealous jowie" stalking of myself, lol... apk
A Narcissist's Prayer
That didn't happen.
And if it did, it wasn't that bad.
And if it was, that's not a big deal.
And if it is, that's not my fault.
And if it was, I didn't mean it.
And if I did...
You deserved it.
No, it isn't. It's how things work. People react like idiots either way, as seen here, but any business is going to do damage control. People are making this sound like it is a much bigger issue than it is even with proper explanations. Res ipso loquitor.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
It was called f00f because that was the actual machine code for the illegal instruction.
GP goes in a valid direction. But it's not exactly marketing that's been put ahead of security, it's performance. Marketing knows customers care much more about performance than safety. And are the customers wrong? Idiots, for not taking security more seriously?
Think about the security vulnerability inherent in the C library function, malloc. It can give its process access to discarded but unerased data from whatever process last used whatever region of memory the OS hands it, unless steps are taken. They knew what to do about it: wipe the memory. Maybe the OS should do that, or the hardware. But everyone realized it would be a performance hit, even if it was hardware based, and no one wanted that. Instead, the burden was put on the previous process to erase its data before freeing the memory. Library functions such as secmalloc can assist with that, of course. And that was a fairly sensible move. Only erase the data if it is sensitive, otherwise, who cares?
In the design of C, performance was chosen over security and safety pretty much every time. It should be no surprise that hardware design shows the same focus. And it's not wrong. It's safer to drive on slow roads, never exceed 50kph, but people do not want that, they want to go over 100kph, for the good reason that time is also valuable.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
I agree. That's certainly how they'd handle a recall in a "worst case" scenario. They're not going to offer to give you brand new CPUs in exchange for obsolete ones over 5 years old.
"Obsolete" is very subjective.
e.g. I have an intel i7-3930K, 6-core with hyperthreading. It's from Q4 2011, and now labeled as EOL by Intel.
However, despite the age still performs neck-on-neck with the Intel I7-7700K 4.2GHz, released on Q1 2017. (cpubenchmark.net Passmark score of the I7-3930K = 12,025, I7-7700K=12,087)
See subject & ONLY person that can 'fire' me IS me - I run my own business & have done well @ it for a decade++! ... & as to your b.s. lies?
* I'd LOVE to see your proof of those lies of yours directed MY way (especially considering it's lies & projecting what YOU do yourself obviously, lol).
APK
P.S.=> Ah yes folks - it's going to be a GREAT FRIDAY starting it off having shovelled the hell out of feet of snow (several times the past 2 days - could've used my snowblower but the workout was decent instead), paid my taxes & bills & topping it ALL off "DUSTING" unidentifiable "ne'er-do-well" little "jealous jowie" TROLL losers too as I have here in this series of posts too, lmao - REALITY THAT WORKS (my ware) always CRUSHES delusional mere FAULTY THEORIES the 'jowies' (lol) try use & FAIL vs. me as always... apk
It's not a bug, it's a feature!
I'm not sure I understand the point of this article.
Condolences. But if you ponder long and hard, you might spot the pattern
Rick Moen
rick@linuxmafia.com
Assholery and "how things work" are not mutually exclusive. Ask any of the #MeToo complainants.
Pain is merely failure leaving the body
No. But I remember the one 1996.987390689
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Keep crying. I'm sure businesses will start taking risks that could cost them billions if you whine loud enough.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
How many of us are multi million/billion dollar corporation?
Yea, thought so, stfu.
I see that poor retarded APK still can't defend his work.
Has anyone ever actually seen you provide proof.
I haven't, but I have see you produce the following:
Lots of bold claims that can't be backed up.
Expert advice from other retards on AOL radio, or a wanna be Kim Komando.
You pretending you are in some movie and your garbage work is the hero.
Expert endorsements that don't mention your work.
Claims of other copying you but no proof offered that they looked at your work and then decided to copy very obvious old ideas that others did before you.
Lots or conspiracies surrounding George Soros, Facebook, Google, the Jews, etc.
Out of context or retracted quotes from random slashdot users.
An inability to read and write English.
Lots of claims of winning, dusting, or blowing people away when you can't offer actual proof.
None of that stuff is a fact no matter how much you want it to believe.
Face it Alexander Peter Kowalski you never win but can't admit it, even to yourself.
Some day your parents might stop regretting not aborting you but today isn't that day, the rest of the century isn't look so good either.
Man, in every thread you aren't just an asshole, you are a stupid looking asshole lol. Keep it up so we can keep mockin ya tho. Appreciate it.
If there is one person whose opinion I'm concerned with it's an AC that makes blatantly false claims, and starts their sentences with "man", man. Thanks for the laugh little stalker coward.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell February 16 2017
(APK's work), I've flat out said it's good by BronsCon February 11 2016
his hosts program is actually pretty good by xenotransplant August 10 2015
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015
I like your host file system by Karmashock September 09 2015
I do use APK's host file on all my systems at home by OrangeTide December 01 2017
I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017
(NEED MORE? Ask!)
* It's recommended/hosted by Malwarebytes' hpHosts!
APK
P.S.=> China imitated me http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ ... apk
Looks like I released one more.
Hi, Intel "reputation management specialist."
I have written bug free code.
Sure ... but the same argument ALWAYS gets made with older technology. I used to work for a manufacturing business that would never let go of some of their high speed 132 column dot-matrix line printers. Everyone who saw them cried, "Ancient tech! Obsolete! Get rid of it!" But the reality was, I.T. staff weren't clueless. They tried to "upgrade" those many times before, but discovered reasons it was better to keep the status quo. (Among other things, the company relied on multi-part forms because there was a whole procedure in place where a driver received a certain colored copy of the form while one was filed in the office, and another went to the customer as a receipt. I believe a fourth copy was used in-house by other people picking or handling the order. When one of these printers was switched with a laser printer, you had to rewrite the software to print 4 copies of each page AND to print some sort of easy-to-see header to identify who it was intended for - since it wasn't going to be printing on 4 different colored sheets of paper. Papers got lost in the shuffle since they weren't on continuous, tear-off type forms anymore. Page formatting errors were struggled with since the laser didn't always print on pages quite the way the line printers did. And they even lost the advantage they had before where someone could write a quick note in pen on the top of a multi-part form and have it transferred to the other 3 sheets by default.)
Newer isn't always better, and often? Even when it is, it brings a lot of extra problems to solve or unexpected issues. Still - from the manufacturer's viewpoint, "obsolete" is pretty much defined as a product they haven't sold in a few years or more. At the 5 year mark, you probably have no more warranty coverage, even if you purchased one of those "3 year extended warranties". In most accounting circles, owning the hardware that long means they depreciated it to 0 value. And ultimately - you can't argue that you didn't get some decent use out of a product like a CPU that's been in service for 5 full years. At that point, it was your fault for making a poor initial purchasing decision if you didn't ....
To recall all Intel processors made this century would be impossible without extraordinary intervention. Intel doesn't begin to have the cash that that would require and no bank would loan them the money which could never be repaid. A government bailout provided due to the national security implications of allowing Intel to fold would be the only realistic route to a recall. As part of the bailout, bankruptcy would likely be required with all stock owners losing everything. Nobody wants all of this.
You may very well be correct that Meltdown doesn't apply to AMD, but my concern is everyone's level of certainty about that isn't grounded in anything concrete at this point, at least nothing I've been able to find. The actual Meltdown research paper said it may still be possible with more effort and I don't recall anything saying they were immune, so it seems to me the certainty behind this claim is based entirely on trust in AMD's word. They may have a very good reason for their claim, but unless I see an actual explanation from them as to why, I can't help but have some doubt about what's going on inside that black box.
The problem is not that out-of-order execution takes place.
I think this is where we disagree since I'd argue it is the problem - letting an attacker execute their own instructions with protected data is the leak, the side channel is secondary. While the implementations discussed in the papers did use a specific cache side channel attack, they also mentioned using other methods that didn't depend on the cache. A channel could be as little as 1 bit of detectable state information that persists after the roll back. Even out of band signals like temperature or EM field could potentially be used. Depending solely on this roll back to be air tight just seems crazy to me.
Honestly, until a given CPU with OoOE can be demonstrated to not do this, I can't help but consider it susceptible to Meltdown and think it's only a matter of time before someone gets it working. That someone may not be nice and let us know about it though. Hopefully I'm wrong, but I'd rather enable KTPI wherever I can at the moment.
As for why would AMD mislead? They may not be, they may sincerely believe they are immune, but without an explanation why, you're still blindly trusting their judgement and this wouldn't be the first time engineers missed a hole in their own product.
Keep crying. I'm sure businesses will start taking risks that could cost them billions if you whine loud enough.
Businesses depend to some extent on the goodwill of their customers.
And not only do they frequently make the wrong decision in handling product flaws, they stubbornly refuse to learn that the coverup usually has a worse outcome than the crime.
Pain is merely failure leaving the body
Yes, we agree that opinions vary. Where we don't seem to come to an understanding... That of the human condition it took 2 decades for this flaw, that the designers, according to you, were supposed to have seen through their infallible eye.
I'm way more upset about the Intel ME. That is a far greater and easily exploited vulnerability. Fixing this is just putting lipstick on a pig
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
your work doesn't actually prevent anything like other solutions - by UNIDENTIFIABLE "ne'er-do-well" Anonymous TROLL Friday January 05 (#55869237)
Hosts do MORE for LESS vs. any single solution:
vs. NoScript https://developers.slashdot.org/comments.pl?sid=11549257&cid=55843151/
vs. Browser Addons https://developers.slashdot.org/comments.pl?sid=11549257&cid=55839341/
vs. Antivirus (security issues per Tavis Ormandy & AV slows you - hosts speed you up)
vs. Remote DNS https://news.slashdot.org/comments.pl?sid=9007355&threshold=-1&commentsort=0&mode=thread&pid=51969075/ w/ security issues BY 100's & remote DNS resolves slower vs. hosts locally cached in system RAM.
vs. Routers (security issues galore we've seen for years like UPnP etc. + added costs of purchase & higher powerbills running one "bolted on")
APK
P.S.=> Hosts make you FASTER + SAFER natively vs. illogically "Bolting on 'MoAr'" for less resources/complexity/room for exploit... apk
Of course that's jumping from the 'e' line to the 'normal' desktop line. The closest match would now be i9-7940X or i9-7920X, 12 to 14 cores.
XML is like violence. If it doesn't solve the problem, use more.
They may have a very good reason for their claim, but unless I see an actual explanation from them as to why, I can't help but have some doubt about what's going on inside that black box.
Fair enough.
Honestly, until a given CPU with OoOE can be demonstrated to not do this, I can't help but consider it susceptible to Meltdown and think it's only a matter of time before someone gets it working.
Also fair enough.
That someone may not be nice and let us know about it though.
True, for any discovered potential exploit.
Hopefully I'm wrong, but I'd rather enable KTPI wherever I can at the moment.
You are free to do so.
As for why would AMD mislead?
They would be extremely wise not to do so, and they know it. That is a reason for why they would not mislead.
They may not be, they may sincerely believe they are immune, but without an explanation why, you're still blindly trusting their judgement and this wouldn't be the first time engineers missed a hole in their own product.
Blindly? I trust them a lot more than I trust you.
In fact, the entirety of your post could be construed as nothing else than an Intel representative sowing doubt about their competitors to lessen the hit on themselves.
Can you prove that is not the case? I mean, why should anyone blindly trust you?
See how that works?