Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Next Generation' Flaws Found on Computer Processors (reuters.com)

Posted by msmash on from the security-woes dept.

An anonymous reader shares a report: Researchers have found eight new flaws in computer central processing units that resemble the Meltdown and Spectre bugs revealed in January, a German computing magazine reported on Thursday. The magazine, called c't, said it was aware of Intel's plans to patch the flaws, adding that some chips designed by ARM Holdings, a unit of Japan's Softbank, might be affected, while work was continuing to establish whether Advanced Micro Devices chips were vulnerable. Meltdown and Spectre bugs could reveal the contents of a computer's central processing unit -- designed to be a secure inner sanctum -- either by bypassing hardware barriers or by tricking applications into giving up secret information.

144 comments

  1. not buying any more new computers & gadgets by FudRucker · · Score: 5, Insightful

    until the CPU manufacturers resolve this issue, if necessary will scour craigslist and second hand PC shops and buy used junk for cheap, no more high dollars spent on new desktops & laptops & tablets & phones until this CPU vulnerability issue is resolved in a proper and long term way

    --
    Politics is Treachery, Religion is Brainwashing
    1. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 5, Insightful

      Nothing will ever be 100% secure, so just give up.

    2. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      It's already an assassination-worthy offense to even think about producing a computer that doesn't invite government three-letter agencies in. Move along and get back to consuming, Citizen. You must be the most undesirable sort if you can't see why privacy is a totally bad thing that only harms everyone.

    3. Re:not buying any more new computers & gadgets by DigiShaman · · Score: 2

      Good luck. From understanding the flaw, finding a solution, testing for unintended consequences, creating a new mask with the changes to fabrication....probably a year wait or longer.

      Best we can hope for is a microcode update that doesn't leave much of a performance hit.

      --
      Life is not for the lazy.
    4. Re:not buying any more new computers & gadgets by ravenshrike · · Score: 3, Interesting

      Except they won't. At least not till quantum computers actually become usable by the regular consumer. Until then all processors will be vulnerable to some extent to SPECTRE class attacks(not however meltdown, that was purely Intel's fuckup) because you lose way too much performance dropping speculative execution entirely. There will merely be mitigation in place to make exploiting such attacks as difficult as possible.

    5. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      I think the point FudRucker is making that there is no point in buying high-end stuff at premium prices when a year or two down the line you will have to apply crippleware patches to secure it - and reduce it to half the original performance; if you buy yesterday's tech, you could get the same cripplewared performance at a fraction of the price.

    6. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      Yeah, let's buy old out-of-warranty junk. And if it all fails we just cry alone and jobless... but at least we took a stand against all that shit, and we showed them what we are capable of.

    7. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      Still doesn't make sense. The only way buying old stuff makes any sense is if it is so old that it could not have these flaws. And for that, you probably have to go back 25 years or more. Good luck finding any current software to run on something that old. On the other hand, if the point is that the performance of a new processor will be so crippled that it will perform like an old processor, well then you have to take into account that the old processor is that slow AND still has the flaw.

    8. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      You will never ever be able to buy something like that on a consumer market. You have been sold a fantasy. The fantasy that you owned your computer. You never did and you never will.

      Whether or not your machines have been intentionally weakened is only something the designer of the CPUs would know (I would love to see an interview with them), but ignoring that anyone that just spends serious resources on the behavior of the chips will be able to exploit them and even remotely. A chip is too complicated and there exists no science that tells us how to make a secure chip. It would be an interesting research topic, but I don't think anyone has actually ever made a secure chip (sure, they tell you it's secure, but that doesn't mean it is).

    9. Re:not buying any more new computers & gadgets by OrangeTide · · Score: 1

      Z80 is 100% immune. Time to dust off the old TRS-80.

      --
      “Common sense is not so common.” — Voltaire
    10. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 1

      Why, are you running a public virtualization service?

      I'm not, so I'm not really worried about Meltdown/Spectre attacks on my infrastructure.

    11. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      Then maybe the solution is to stop being such a consumer whore and not upgrade your self-surveillance equipment every year?

      You may not be able to buy a computer that doesn't spy on you, but you can certainly refrain from buying a *new* one.

    12. Re:not buying any more new computers & gadgets by BlueStrat · · Score: 2, Interesting

      I think the point FudRucker is making that there is no point in buying high-end stuff at premium prices when a year or two down the line you will have to apply crippleware patches to secure it - and reduce it to half the original performance; if you buy yesterday's tech, you could get the same cripplewared performance at a fraction of the price.

      That's why you release new OS's and software that *only* work with "new generation" hardware while promulgating new web standards that embrace "new generation" hardware-specific standards but are incompatible with the old.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    13. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 1, Insightful

      you will have to apply crippleware patches to secure it - and reduce it to half the original performance

      That "reduced performance" is actually the performance you should have had all along.

      The problem is, Intel tried to cheat. "Speculative execution" is just a marketing gimmick created so they could claim that their chips were faster than the competition. And when one company cheats, and gets away with it, everyone else has to cheat too, in order to stay competitive. So now we're stuck with hundreds of millions of CPUs with design flaws.

    14. Re:not buying any more new computers & gadgets by Megol · · Score: 2

      A lot of hot moist air coming from your direction, do I also detect some alcohol?

      I own my computer. I also own my own body. I may not be able to tinker with everything in my computer but the same applies to my body. IOW bogus.

      No these problems/vulnerabilities aren't intentional. Anybody with a working brain would understand that but as you seem to lack that part: these fall out perfectly logically when tracking the progress of processor design, also adding a problem intentionally means giving up ones market share.

      That someone with resources can find a problem is just hand waving. Complex systems have more chances to leak information, processors and computers are very complex beasts so yes statistically it is probable that given enough resources some kind of vulnerability can be found. But that doesn't make them practically exploitable, that doesn't create exploits that aren't there in the first place, that obviously do not make any vulnerability exploitable remotely (ludicrous idea!).

      We know how to make secure chips and there are research done in that area. So absolutely wrong.

      In short a bunch of inane ramblings. I do hope you can blame the alcohol.

    15. Re:not buying any more new computers & gadgets by amorsen · · Score: 3, Interesting

      This is simply not true. Speculative execution has real benefits on real code. Disabling it makes processors drastically slower, not just in benchmarks.

      Luckily it looks like we can get to keep most of the benefits without the security flaws.

      --
      Finally! A year of moderation! Ready for 2019?
    16. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      They plan to discover a new flaw like this every few months, to keep the market moving.

    17. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 2, Informative

      really? Okay, they overstated it -- speculative execution isn't just a marketing gimmick, but they *did* cheap out on implementation which is why AMD was less affected.

      There are, of course, worse marketing gimmicks. Like pretending that the number of virtual cores is the same as physical cores. Anyone with technical knowledge knew better, but marketing was careful to let consumers draw wrong conclusions. Even Intel's own white paper cited a best case performance improvement with hyperthreading was ~30% (I don't recall the exact figure) and a naive implementation actually had a (minute) performance loss. By the time it was put into pentiums the hardware assured there was never any loss, but mostly there is no performance benefit to hyperthreading and definitely there is none if you are doing embarrassingly parallel tasks.

      But it is hard to overcome marketing. I do 3d rendering and tried to educate others, encourage them to do their own tests (and shared mine). The tests showed what I already knew: that performance with hyperthreading was identical to without.

      Ignoring the very real marketing impact and shortcuts for performance reasons just exacerbates the problems.

    18. Re:not buying any more new computers & gadgets by skids · · Score: 2

      Grab a solar panel and as many old MIPS WRT boxes as you can carry and run for the hills!

      --
      Someone had to do it.
    19. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      Pull the fiber/adsl cable...

    20. Re:not buying any more new computers & gadgets by bws111 · · Score: 1

      Holy crap there is a lot of stupid here. First of all, out-of-order execution is older than Intel itself. Intel is a relative latecomer to the OOO party, having been beating by at least Control Data, IBM, and AMD. Second, it is not a 'marketing gimmick', it actually makes the processor run workload faster. There is no 'cheating. Perhaps you think the switch from relays to tubes to transistors to ICs were also all 'marketing gimmicks' to make processors 'seem' faster?

    21. Re:not buying any more new computers & gadgets by skids · · Score: 1

      We know how to make secure chips and there are research done in that area.

      Yep. But we don't actually follow through on it, nor do consumers demand assurances to that effect, so the point is moot until that changes.

      --
      Someone had to do it.
    22. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      Nothing will ever be 100% secure, so just give up.

      Yes, you may get hit by a car if you go outside of your house because nothing will ever be 100% secure. So just give up and never leave your home.

      The point is, you could do something even though it may not be influential by you alone. It needs enough people to push the point. If you just give up before you start, you would already fail regardless.

    23. Re:not buying any more new computers & gadgets by Carewolf · · Score: 2

      This is simply not true. Speculative execution has real benefits on real code. Disabling it makes processors drastically slower, not just in benchmarks.

      Luckily it looks like we can get to keep most of the benefits without the security flaws.

      Yeah, and fetching things from memory during speculative execution has replaced prefetching, and removing that would get is back to needing instrumented prefetching, so they need to be smarter in undoing an invalid fetch.

    24. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      Or you could just go AMD. All the really horrible flaws seem to be Intel-exclusive.

    25. Re:not buying any more new computers & gadgets by imgod2u · · Score: 1

      You realize this flaw exists in almost every CPU built in the past 2.5 decades right? The newer CPUs are actually less susceptible...

    26. Re:not buying any more new computers & gadgets by imgod2u · · Score: 2

      What exactly do you think the difference between prefetching and speculative execution is? Most prefetches use program patterns (some even go so far as runahead to guess addresses) to prefetch into cache. It's this exact behavior of populating the cache before permissions are resolved that is both fast (speedup) and insecure.

    27. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      You know how to make secure chips? Fine, show me one that is actually secure up to the point that there is provably (relative to the Standard Model) no side-channel attack possible, either on chip or off chip.

      I am claiming first that chips are complex and leak information and then you repeat me and then you say without proof that you can make secure chips. Sure, some people do research in tiny sub areas of making a secure chip, but nobody has actually created one. Who is the drunk here?

    28. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      No, we do not know how to make secure chips, because at no point in the history of humanity even a theoretical work has appeared as to how to make one. Commercial products exist, but there is a zero percent probability that they meet the requirements for a secure chip (not a "reasonable secure" or some weak ass notion).

    29. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      Try the Risc-V? New architecture, open, and capable of running linux.

    30. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      Nope. If speculative execution helps so much, then the pipelines are too deep. Make it run fast with a short pipeline, then branches won't cost much.

    31. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      You may not be able to buy a computer that doesn't spy on you,

      And what would prevent that?
      Current Intel & AMD may have spectre & meltdown flaws - but that doesn't mean the computer is spying on me. It only means someone else's processes could leverage spectre to spy on my processes - but if I don't give anyone else an account, no big deal! "Personal Computer" means just that. May have to do some research in order to deploy a safe multi-user machine though, may have to look into ARM or RISCV or some such.

      Windows may have telemetry & spyware - but I haven't used that os since 1992 so . . .

    32. Re:not buying any more new computers & gadgets by rogoshen1 · · Score: 3, Funny

      Please.

      Are you seriously suggesting that some random on slashdot doesn't actually know more than a team of researchers at intel/amd?

    33. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      I got a Timex Sinclair we can use as a remote administration terminal!

    34. Re:not buying any more new computers & gadgets by skids · · Score: 1

      You are clearly talking out of your ass.

      --
      Someone had to do it.
    35. Re:not buying any more new computers & gadgets by Bengie · · Score: 1

      We've reached the point where you can't really make it run faster with shorter pipelines without having a massively wide execution path, which lots of software won't benefit much from, or you have lots of simple cores with the same issue. Execution concurrency or thread concurrency.

    36. Re:not buying any more new computers & gadgets by Bengie · · Score: 1

      Even Intel's own white paper cited a best case performance improvement with hyperthreading was ~30%

      That was a typical performance improvement in a mixed workload, aka lots of multitasking. Worst case decrease was about 5% reduction and best case increase was over 100%, super linear. My cousin was an admin at a datacenter where he saw all kinds of work loads. Some where he disabled HT because of negative performance, and other where he got over a 50% improvement in system throughput.

    37. Re:not buying any more new computers & gadgets by mikael · · Score: 4, Interesting

      Out-of-order execution is similar to the way hospitals are run. You have a number of instructions (patients), you have treatment rooms (arithmetic units), waiting rooms (caches). Any patient might need a number of tests to be performed on a single visit, and the need to perform a particular test might depend on previous tests. Not all treatment rooms are available at the same time, so there is a need to keep patients waiting. There is also the security/confidentiality restriction that patients aren't supposed to see the notes of other patients, but that can happen if staff aren't careful.

      Speculative execution was an idea that the CPU evaluates the two possible future state of itself then discard the outcome that doesn't happen. But they updated the main cache and not some private cache, so a high-level application could do timing tests to see if particular blocks of data were in cache or not.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    38. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      There is currently no on-the-market Intel/AMD design which is not susceptible. It will be (at least) many months before the chip pipelines start putting out new chips with these issues resolved in the actual chip design. Until then updated firmware is all we have.

    39. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      new software on insecure bugged new hardware, or old hardware that has had its issues patched around, running old outdated unsupported software with know bugs and vulnerabilities. pick your poison.

    40. Re:not buying any more new computers & gadgets by epine · · Score: 1

      "Speculative execution" is just a management gimmick created to entice workers into dealing with process delays that management should have eliminated at the process level, to begin with.

      Spoken like a true (defunct) Detroit union boss of the late 1970s.

      Unfortunately, the Japanese had already discovered the magic of making as much progress as possible with the resources in hand, which allowed them to manage inventory on a JIT basis, streamline production, and kick American butt, bigly.

    41. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      until the CPU manufacturers resolve this issue, if necessary will scour craigslist and second hand PC shops and buy used junk for cheap, no more high dollars spent on new desktops & laptops & tablets & phones until this CPU vulnerability issue is resolved in a proper and long term way

      Dont worry.. I will have a serious talk with commander Data about this, our computer processors should be flawless.

    42. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      welcome to the new golden age of classic amiga computers using the motorola 68000 processor family :-)

    43. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      I mean, sure, the problem with Spectre and Meltdown is that they allow you to get information about protected memory.
      The Z80 doesn't have protected memory so it doesn't suffer from that problem.

      Can't have security holes if you don't have security to begin with.

    44. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      At least not till quantum computers actually become usable by the regular consumer.

      Could we stop with the quantum hype? At best quantum chips will end up in a slot next to the GPU as specialized processor. They aren't going to speed up any of the existing programs without the application developers rewriting their programs to use quantum computing friendly algorithms.

    45. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      You clearly have not provided proof for your assertion, which makes you a waste of time.

    46. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      Yup. The Z80 is completely, absolutely immune to any of that memory protection nonsense. Intel CPUs make you work to bypass that pesky ring 3-ring 0 divide, whereas the good old Z80 doesn't bother with any of this new-fangled privilege level baloney. If you want kernel memory, just step right up and take it.

    47. Re:not buying any more new computers & gadgets by TheRaven64 · · Score: 2

      What exactly do you think the difference between prefetching and speculative execution is?

      Not the GP, but prefetching, unlike speculative execution, is not rolled back. In speculative execution, you start executing instructions that probably will be executed, but if you shouldn't actually have executed them then you silently discard the results and reset the pipeline to the earlier state. In prefetching, you pull in data from main memory to the cache that might be needed soon, but if it isn't used then you still leave it in the cache and still evict whatever you displaced to load it.

      Both are observable and provide side channels, but prefetching is simpler (speculative execution can also trigger prefetching, so they're non-orthogonal).

      --
      I am TheRaven on Soylent News
    48. Re:not buying any more new computers & gadgets by TheRaven64 · · Score: 1

      Even short in-order pipelines do speculative execution. We are using a 7-stage single-issue in-order pipeline implemented in FPGA for prototyping some ISA extensions. If we don't do speculative execution, we take around a 20-30% performance hit most real-world code.

      --
      I am TheRaven on Soylent News
    49. Re:not buying any more new computers & gadgets by TheRaven64 · · Score: 3, Informative

      Speculative execution was an idea that the CPU evaluates the two possible future state of itself then discard the outcome that doesn't happen

      I know of a couple of research processors that have worked that way, but nothing in production. It doesn't really scale, because typical C code has a branch (on average) every 7 instructions, but a modern processor can have almost 200 instructions in flight at a time. If you execute both paths (assuming branches are simple conditional branches and not computed jumps), you need to be able to handle both instruction streams for every speculative operation. That means doubling the resources every 7 instructions and you quickly run out of transistors.

      Speculative execution is about guessing what instructions you're going to run next[1] and running it as soon as you have its input operands available, then throwing away all of the state associated with the results if you guessed wrong. This is why branch mispredicts are expensive: the pipeline spends some time executing the wrong thing, then some more time discarding any of the state. The root cause of meltdown and spectre is that 'all of the state' turns out to be more than expected. In the simple case, values are loaded into (or evicted from) the cache as a result of speculatively executed instructions. This can be worked around by fetching values into some separate cache space and only writing them back to the main cache when the instructions are committed. In the more complex case, the time taken to execute and cancel the instructions varies depending on the values. That's much harder to address, because you can't simply roll back time to a little bit earlier...

      [1] In most processors, anyway. The Alpha did value speculation, so would guess the results of instructions and guessing the address of the next instruction was just a special case of this. Fortunately, no one does that anymore - Spectre on the Alpha would have been so much worse than on anything from Intel.

      --
      I am TheRaven on Soylent News
    50. Re:not buying any more new computers & gadgets by TheRaven64 · · Score: 2

      The original MIPS processors are immune, because they had a 3-stage pipeline and a branch delay slot and so always had the branch destination available by the time that they needed to fetch the target instruction. Almost all later MIPS cores are vulnerable to variations of Spectre, though I believe some of the Cavium ones aren't because they have lots of hardware threads and simply pause a thread on each branch and execute another until they get the branch target.

      --
      I am TheRaven on Soylent News
    51. Re:not buying any more new computers & gadgets by TheRaven64 · · Score: 1

      Meltdown lets you get information across a ring boundary. Spectre lets you get access to memory that's within the program's address space but which shouldn't be readable to a part of the program (e.g. to your web browser's password store from within JavaScript, if you're running a web browser that stores passwords in process).

      --
      I am TheRaven on Soylent News
    52. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      Me too, it's too scary right now.

    53. Re:not buying any more new computers & gadgets by OneAhead · · Score: 1

      craigslist and second hand PC shops

      Sorry to burst your bubble, but if you follow good security practices, the odds of having an unpatched 'next-generation' CPU flaw on a PC in your house (as opposed to a cloud server) actually being exploited in a way that causes you significant discomfort are in the same ballpark as the odds of buying a piece of second-hand equipment with a hard-to-find and/or hard-to-patch (potential) backdoor. The latter is not very likely, I know, but neither is the former.

    54. Re:not buying any more new computers & gadgets by skids · · Score: 1

      I would say it is your assertion that needs proof. So would anyone else who also studied VLSI design in college.

      --
      Someone had to do it.
    55. Re:not buying any more new computers & gadgets by Anonymous Coward · · Score: 0

      You are the one that claims we know how to make a secure chip, but you cannot even point at one. I know of a couple of platforms that are secure under a simplistic digital logic security model, but analog security is the playing field of three letter agencies, if at all.

      *You* should provide evidence. I cannot prove a negative. It only takes one paper that shows how to build a completely secure device (per my specifications posted earlier), but you just have nothing to show for it, because it does not exist.

      You, probably aware that you put yourself in an impossible position, are having trouble admitting that you were wrong now. Sad, very sad (as Trump would say).

    56. Re:not buying any more new computers & gadgets by Agripa · · Score: 1

      Make it run fast with a short pipeline, then branches won't cost much.

      A long pipeline is required to increase the load-to-use latency allowing a higher frequency. If the pipeline is shortened, then the load-to-use latency requirements on the cache increase lowering the frequency.

    57. Re:not buying any more new computers & gadgets by mikael · · Score: 1

      ARM produces the 32-bit Flycatcher CPU (Cortex M0+) has 12K gates, internet-of-things compatible, so it would be easy to prove that there aren't any secret backdoors. Add a C based GUI system and you would have a secure PC.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    58. Re:not buying any more new computers & gadgets by skids · · Score: 1

      Meh. I did bother to google at one point and read a nice paper on a formal language for a formal pre-silicon design security validation language. But I closed the tab, and am bored with it now. You do know that subcontracting designs is a decades long practice and hardware trojans have been around for so long that the industry is on top of this problem, right? If you're concerned about "analogue security", lower your damn clock speeds so you aren't running all your gates right up to the edge of their specs. And feel free to google yourself. It's not hard information to find.

      --
      Someone had to do it.
  2. Moore's Corollary for Bugs? by Anonymous Coward · · Score: 0

    'Next generation' processors will have 'Next generation' flaws.

    Follows directly from "processors have flaws".
    Allows for the assertion that this generation's flaws may be fixed in the next, but does not preclude all-new flaws.

    Filed in the um-duh-department

  3. Not looking well for the future of cpus by Anonymous Coward · · Score: 0

    Full of flaws and unable to advance from 14nm. Looks like people will keep with their older cpus and Windows 7 until this mess is sorted out.

    1. Re:Not looking well for the future of cpus by sexconker · · Score: 1

      I'm still on a 2600k and Windows 7 for my gaming box.
      There are about 3 titles that are DX12 / Windows 10 exclusive that interest me - Killer Instinct, Sea of Thieves, and probably something else that I can't remember. Sea of Thieves currently has no content worthy of a purchase, so I'm fine passing on it for now. (I did play in the stress tests on a physically separate Win 10 install.)

  4. The magazine is named c't? by Anonymous Coward · · Score: 0

    This does seem like a c**t of an issue!

    1. Re:The magazine is named c't? by Kokuyo · · Score: 1

      Or "Computertechnik"... but naaaahh... that doesn't fit the magazine's topic at all.

    2. Re:The magazine is named c't? by dunkelfalke · · Score: 2

      Actually "computing today".

      c't used to be awesome back in the day - the most geeky computer technology magazine in Germany, with a lot of DIY projects. Also sometimes as thick as a mail order catalogue. Their website used to have the same "slashdotted" effect as the actual slashdot of the same time period. Unfortunately with the start of this century c't slowly changed the target group from geeks to more or less mainstream.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
  5. More of an issue now by FeelGood314 · · Score: 5, Insightful

    CPUs have always had flaws and as a developer there was always an errata sheet you had to read and understand. The problem today is cloud computing and to some extent javascript. People are now running untrusted code on the same systems as their trusted programs. It was assumed that as long as your sandbox for these programs was secure and well defined that this was safe. Spectre and Meltdown proved this wasn't true.

    1. Re:More of an issue now by hairyfeet · · Score: 1

      This is why I have been saying for years Javascript as GOT to go. It was made in an age when the biggest threat was infected floppy discs and since then its been band aids on bullet wounds. You shouldn't be running complex code off of third party sites that have had ZERO vetting and with JS and ads these days? Hell malware authors couldn't have designed a better delivery system if they tried!

      IDK if we should go to a locked sandbox with very limited tools, or have only a set of vetting building blocks that can only do limited tasks (the Unix model of small tasks made by small tools) but the Javascript model we are using now? Its just a mess and I don't see anyway you can fix it so that its not a malware delivery system.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    2. Re:More of an issue now by admin7087 · · Score: 1

      WTF? That's not new at all and has nothing to do with "cloud" computing! Multiple users on multi-user systems used to be the rule, and of course the users were running untrusted code from their user accounts. There used to be Unix and Linux boxes online everywhere. It also used to be easier to pawn computers unless the sysadmin knew what he was doing.

    3. Re:More of an issue now by squiggleslash · · Score: 1

      IDK if we should go to a locked sandbox with very limited tools

      Uh, OK. Are you under the impression that Javascript has access to your file system or something?

      Insofar as some of these CPU bugs are supposedly exploitable in Javascript (and while one of Spectre/Meltdown was, the other wasn't but was widely confused as being the same thing), the same exploit would work in any Turing complete language.

      So you'd need more than sandboxing to protect against these kinds of CPU flaw. You'd need a language so simple it makes DOS's COMMAND.COM batch language look like C++. You'd need a language you couldn't even implement Conway's Life in.

      Not gonna happen.

      --
      You are not alone. This is not normal. None of this is normal.
    4. Re:More of an issue now by Anonymous Coward · · Score: 0

      Any better alternative?
      Or do you not like people telling you how your solution is more flawed than the thing you want to replace?

      As bad as C is, the possible buffer overflows you can get by trying to roll your own string functions instead of using a proper library is still more secure than any language with an "eval" function.
      Languages that allows us to pass code in variables is what gave us SQL injections.

    5. Re:More of an issue now by Anonymous Coward · · Score: 0

      Coq can be used to write arbitrary safe code. Just because you are not smart enough to use it, is entirely your problem.

    6. Re: More of an issue now by Anonymous Coward · · Score: 0

      So can code be screened?
      Open source should not be a problem I guess, but is it possible to screen executable code for the type and sequence of instructions that use the meltdown and spectre bugs?

      Or, is it possible for the kernel /OS to dispatch all untrusted code to a separate cpu core with limited memory access?

      aRTee

  6. Direct article link by isj · · Score: 4, Informative

    here (German)

    1. Re:Direct article link by Misagon · · Score: 4, Informative

      And here in English also.

      --
      "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
    2. Re:Direct article link by Anonymous Coward · · Score: 0

      Fuck Doucheland, why would I care about something written by the krauts?

  7. It Begins by Anonymous Coward · · Score: 0

    ....

  8. Next generation by 110010001000 · · Score: 5, Insightful

    Very possibly the next generation of Intel processors are going to be slower than the previous generation once they have to fix these architectural issues.

    1. Re: Next generation by Type44Q · · Score: 0

      I don't follow your logic.

    2. Re: Next generation by Anonymous Coward · · Score: 0

      He's saying the fixes will have an adverse effect on performance.

    3. Re:Next generation by Anonymous Coward · · Score: 0

      they're obviously not going to fix them. if they do introduce fixes they will be optional modes.

    4. Re: Next generation by Anonymous Coward · · Score: 0

      These flaws are due to shortcuts made to allow increased performance. Remove the flaw, remove the speed advantage.

    5. Re: Next generation by olsmeister · · Score: 1

      For definitions of performance that do not include exposing sensitive data, I guess.

    6. Re: Next generation by Anonymous Coward · · Score: 1

      The short version is that Intel used BlackMagic(TM) called 'Speculative Execution' to enhance performance but it turns out that this introduces unwanted security problems. (Actually, this was known, but those who knew thought no one cared.)

      The slightly longer version is that Intel took (performance) shortcuts in their implementation of speculative execution. A better (more secure) implementation will not have those (performance) shortcuts. This is generally understood to result in slower performance. AMD used a better (more secure) implementation, but they did not entirely escape the problem.

      The longer version is that CPU architecture is incredibly complicated and it is very easy to have unwanted side effects or consequences. In the real world it just isn't as simple and easy to point to a single feature and say it does this and only this. Which is why we hear more news about new but related (to speculative execution) problems. And that is only one of many sophisticated details of modern CPU architecture. And at this point there are a lot of assumptions about behavior that have to be maintained to preserve compatibility so it will be very tricky to maintain, much less improve on, the performance bar that has already been set while fixing these unwanted side effects. Indeed, the easiest solution (from a security POV) would be to drop out the features whose implementations are complicated. Which is pretty much guaranteed to kill performance.

      Not that I think Intel will go that route. Expect gradually architectural tweaks as they look for ways to maintain performance while fixing the leaks. And also look for movement towards patchable/upgradable CPUs, even if just minor enhancements of existing mechanisms.

    7. Re: Next generation by Anonymous Coward · · Score: 0

      To quote Vinnie Gambini, "everything that guy just said is bullshit."

    8. Re:Next generation by Anonymous Coward · · Score: 0

      It is rumored that the fix will be to introduce instructions to designate trusted code and things like your web browser will run slower, but without speculation.

    9. Re: Next generation by Anonymous Coward · · Score: 0

      > I don't follow your logic.

      Well, you *could* have just followed it speculatively!

  9. Speed optimizations by Anonymous Coward · · Score: 0

    We already know more than half of these bugs came about for the sake of cutting corners to squeeze out just that little bit extra processing.
    Can't wait for all these patches, we'll be back to Pentium days lmao
    Fuck x86.

    1. Re:Speed optimizations by Anonymous Coward · · Score: 0

      It is fucking hilarious that you think putting in all the extra circuitry to support both caching and out-of-order execution is 'cutting corners'.

    2. Re: Speed optimizations by Anonymous Coward · · Score: 0

      I'm speaking of investments in making a better architecture instead of that furnace of a design.
      They've created so SO many hacks to get around its limitations, all of which are coming back to bite all of us.
      Meltdown was directly caused by not checking things properly for the sake of squeezing out a few extra cycles here and there while, ironically, doing multiple checks at once.
      A fuck-up on that level was clearly deliberate, as the speed reductions from the patches showed. The supposed fixes to slowdowns did fuck-all for the loads that mattered and most likely is the reason for one of these new flaws!

      So, yes, my friend, ir was cutting corners.
      Doing oroper checks to verify security, integrity, etc. ALL add significant overhead.
      It happens in online games today where retard developers don't verify client data then you end up with fuckwits spawning tanks in GTAV or people doing a Thanos and wiping a server out to auto-win.
      All so they can save on good servers / server count.
      Same shit, different industry.

    3. Re: Speed optimizations by bws111 · · Score: 1

      You clearly have no idea what you are talking about. First of all, what 'architecture' are you talking about? If it is the ISA, then ANY ISA will benefit from out-of-order execution, which is why even RISC processors use it (unless you know of some magical way to make memory accesses run at CPU speed). And if you mean the micro-architecture, then they clearly DID 'make the investments in making a better architecture' as they switched from an in-order architecture to an out-of-order one.

      Meltdown was not caused by 'not checking things properly for the sake of squeezing a few extra cycles'. Where did you get that idea? If was caused because the check was done in the wrong place. A check in the right place would not have added any extra cycles. It was clearly a MISTAKE. Your idiotic idea that it was 'deliberate' is laughable at best. Of course the OOO execution was deliberate, but the incorrect check wasn't. The fix causes a slowdone because they can't fix it PROPERLY with just software, so more drastic measures needed to be taken. If the check was in the right place in the hardware there would be no slowdown.

      Spectre is primarily a software problem. The hardware provides for separation of memory between processes. Spectre is caused by software not using the hardware, and attempting to provide it's own protection (poorly). In spectre, the hardware does not give access to any memory that is different from what it is architected to do.

    4. Re: Speed optimizations by Anonymous Coward · · Score: 0

      Clearly you know enough to be dangerous, but you don't have a complete understanding of how complex it will be to implement a meltdown fix without sacrificing performance - there is an optimization element to Intel's current implementation. You also don't seem to have an accurate understanding of how Spectre works. It's got nothing to do with software vs hardware protections and everything to do with measuring the time difference between cached and uncached hits in speculatively executed branches. It is most definitely able to, via this so-called side-channel, guess data from processes that are isolated in hardware. Many of the present browser fixes involve limiting the resolution of timers exposed to the Javascript VM.

      The hardware fix will most likely be to disable speculative execution for 'untrusted' applications like your web browser's javascript VM.

      P.S. I'm not the parent poster.

    5. Re: Speed optimizations by drinkypoo · · Score: 1

      If it is the ISA, then ANY ISA will benefit from out-of-order execution, which is why even RISC processors use it (unless you know of some magical way to make memory accesses run at CPU speed).

      There was a way to do that back when CPUs were measured in tens of MHz... SRAM. But that's not practical with today's memory volumes, you have to go back to using e.g. a 68k with MB of RAM instead of GB.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  10. Wow! News for the nerds, it is by 140Mandak262Jamuna · · Score: 0

    contents of a computer's central processing unit -- designed to be a secure inner sanctum --

    All these nerds who have been using the computers since they were toddlers would find this description of the CPU really really fresh, novel and eh, yes, news.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Wow! News for the nerds, it is by Anonymous Coward · · Score: 0

      Well, speaking as a nerd, the Next Generation's biggest flaws were in the beginning, Tasha Yar's lack of meaningful purpose, even as a backstory was one big one, but Riker's cherubic face also managed to be appalling in a fleet officer, and of course, the Wesley was just plain abominable. However, there were more subtle ones, including the fact that effectively, despite ostensibly being a "family ship" all of the main cast might as well have been orphans. Sure, various members showed up from time to time, but was it really meaningful? No, they were just plot devices. This was one of the many carry-overs from TOS, and it's no surprise that DS9 went the opposite direction.

      I would criticize some of the early episodes, but apparently they were relics left over from Phase II plans that got used due to a writer's strike in Hollywood, so I'll be slightly forgiving.

       

  11. Re: not buying any more new computers & gadget by Type44Q · · Score: 1

    Shill, you are not good at your job; in fact, you're terrible. Give the fuck up??

  12. B-Movie by Anonymous Coward · · Score: 0

    Intel! Inside! They got so many holes as a plot line for a b-movie horror...

  13. Reserving CVE numbers is a meta-security hole. by craighansen · · Score: 2

    The process of reserving CVE numbers clearly discloses timing of discovery of vulnerabilities. The CVE numbering authority should close that potential security hole.

    I'm at least half serious about this. Arguably, knowing that vulnerability disclosures are coming reduces the value of current and upcoming products and can even have an effect on stock prices. It may also embolden black-hat security to step up efforts to discover vulnerabilities, knowing of the presence of them, and encourage them to attempt to subvert security measures to keep them secret until patches are available.

    1. Re:Reserving CVE numbers is a meta-security hole. by Anonymous Coward · · Score: 0

      Publishing vulnerabilities presents your hole, even without a numbering system. I don't need to know that CVE " 1 million and 2 " has been reserved to know there are more potential vectors since the last time I checked the list. If I see the list was 100 vulnerabilities long in January and 200 long in March. I know there are at least 100 more things to try.

    2. Re:Reserving CVE numbers is a meta-security hole. by Anonymous Coward · · Score: 0

      CVE's are issued in bulk to some orgainizations for exactly that reason. It's a stupid policy because it gives the company in question legal wiggle room to say they weren't aware of it until x date when in fact that may be +/- depending on their liability.

      https://cve.mitre.org/cve/cna.html

    3. Re:Reserving CVE numbers is a meta-security hole. by craighansen · · Score: 1

      There's no clear need for CVE numbers to be issued sequentially at all, whether individually or in blocks; only that they be unique.

    4. Re:Reserving CVE numbers is a meta-security hole. by phantomfive · · Score: 1

      Arguably, knowing that vulnerability disclosures are coming reduces the value of current and upcoming products and can even have an effect on stock prices.

      That would be the best thing to happen in security in the last two decades (since ssh was invented, basically). Companies would suddenly start caring about security.

      --
      "First they came for the slanderers and i said nothing."
  14. More "new" bugs?? by Anonymous Coward · · Score: 0

    How in the hell did these get past kernel devs who have been all over their respective kernels for months dealing with Spectre and Meltdown?? Something isn't adding up here kids.

    1. Re: More "new" bugs?? by Brockmire · · Score: 1

      Some people just find bugs and report them, others fix reported bugs. The key word in these discoveries are "researchers".

  15. Re: not buying any more new computers & gadget by Anonymous Coward · · Score: 0

    A 100 percent secure computer can be turned into a military grade cipher machine by every competent computer scientist...

  16. Likely Variants on Spectre by crow · · Score: 2

    It is likely that there are other bugs related to speculative execution that can leak data. For example, you could have code that leaks data through timing instead of through direct cache impact. You measure the number of cycles after writing clever code that consumes one more or less based on a bit of restricted data.

    1. Re:Likely Variants on Spectre by imgod2u · · Score: 1

      That's also what Spectre (and Meltdown did). They timed cache accesses before and after speculative loads using secure data as the "forwarding address".

      The other variants (BranchScope if you're interested) uses a similar technique except it trains the branch predictor using secure data bits and then times the execution time.

    2. Re:Likely Variants on Spectre by Anonymous Coward · · Score: 0

      It is likely that there are other bugs related to speculative execution that can leak data. For example, you could have code that leaks data through timing instead of through direct cache impact. You measure the number of cycles after writing clever code that consumes one more or less based on a bit of restricted data.

      Specter/meltdown don't directly access unaccessible memory, they do infer cached data from timing attacks.

      Nobody read the damned papers when they were announced apparently, and everyone pounced on Intel like they left a door open or something.

  17. tomorrow's headline by Anonymous Coward · · Score: 0

    "seventeen computer security researchers from multiple nations have mysteriously disappeared during the overnight hours."

    the only evidence is a cryptic note left at each scene, which a cipher expert cracks a week later as saying "quit finding our backdoors or you will be next"

  18. Re: not buying any more new computers & gadget by sexconker · · Score: 2, Insightful

    A 100 percent secure computer can be turned into a military grade cipher machine by every competent computer scientist...

    Nope. A 100% secure system wouldn't let the computer scientist modify it or even determine that its hardware met milspec.

  19. Don't care by Anonymous Coward · · Score: 0

    Really not that concerned anymore. Just bought a Haswell desktop for cheap, not putting money into newer hardware for awhile. Do I care if the chip is shrunk down again? Nope. Most mobile chips are crap, focused purely on saving energy. Have to buy a gaming notebook just to get a decent mobile chip. Otherwise ultra low powered junk. Now with all the flaws you could ever want in a chip.

  20. conspiracy theory time by slashmydots · · Score: 1

    I bet this is why the new line of Intel processors was delayed significantly. Anyone else suspect that?

  21. Full page reload for every action? by tepples · · Score: 1

    This is why I have been saying for years Javascript as GOT to go.

    Would you prefer a form submission and full page reload for every action that you perform in a web application?

    IDK if we should go to a locked sandbox with very limited tools

    That's what JavaScript was supposed to be.

  22. Re: not buying any more new computers & gadget by Type44Q · · Score: 0

    Tell me more about this "performance vs security trafeoff" theory of yours... Ah, I see that you don't understand what cpu's even do (much less how they do it) and simply pulled that out of your ass... well done; now shut the fuck up.

  23. Re: not buying any more new computers & gadget by Anonymous Coward · · Score: 0

    Dumbest thing I've read all day. And on slashdot no less. Wtf happened here guys? The comments used to be the best part.

  24. Next Generation Flaws by NEDHead · · Score: 0

    Lore

  25. New architecture? by duke_cheetah2003 · · Score: 2

    Maybe the entire architecture paradigm needs a start-from-scratch perspective?

    We've been doctoring and hacking the PC architecture for what, 30 years now? Under the hood, everything still basically laid out the same as it was with the first 286 and 386 machines. Not much has changed. Maybe it's time to redo everything?

    1. Re:New architecture? by Anonymous Coward · · Score: 0

      x86/x64 is only the API. processors internally use all kinds of tricks to implement it.

      moving to ARM or MIPS or POWER doesn't help, because to optimize those requires the same tricks.

    2. Re:New architecture? by Anonymous Coward · · Score: 0

      It is not PC architecture as such which is to blame. There is nothing majorly wrong with that compared to other processor architectures.
      At the level that the Spectre and Meltdown attacks work, all modern microprocessors work more or less the same, and it is merely details in the implementation which determines if they are vulnerable or not.

      Perhaps it is time to redo everything, but that would essentially mean throwing away much of the last 50 years worth of CPU research - that is how long Out of Order Execution has been used.
      And even if a total restart did happen, that would most likely just mean replacing old vulnerabilities with new ones. That or getting much lower performance than today.

  26. Re: not buying any more new computers & gadget by Anonymous Coward · · Score: 0

    hot moist alcohol air? wtf are you talking about? stick to the facts, champ.

  27. Old Skool Time by brwski · · Score: 1

    It's clear that it's time to grab the old 6502 design and modernize it â" let's call it the 656464. A 7nm, 64-core, 64-bit version (basically change nothing else other than needed glue between the chips, memory linkages, and the instruction width), with a decent cache attached, would not take up all that much die space, and would be really interesting, albeit slow in many ways due to a good number of modern tricks not being in place. But without those tricks many security issues they cause could be avoided, and they could be added in to later versions after extensive vetting. (And yes, RISC-V could be a step this way.)

    --

    brwski
    "Because without beer, things do not seem to go as well''

    1. Re:Old Skool Time by nester · · Score: 1

      UltraSPARC T1

    2. Re:Old Skool Time by brwski · · Score: 1

      That hadn't come to mind. Good call.

      --

      brwski
      "Because without beer, things do not seem to go as well''

    3. Re:Old Skool Time by Agripa · · Score: 1

      Well, let's see. With modern high performance caches executing at 3 GHz with a 4 cycle load-to-use penalty, a 6502 would come out at like 375 MHz. There are faster processors than that which do not employ speculative execution including many current ARM cores.

  28. Re: not buying any more new computers & gadget by ralphsiegler · · Score: 4, Insightful

    the 100% percent secure computer is one that no one can access and no one knows where it is

  29. Not a language issue by FeelGood314 · · Score: 4, Insightful

    It's not the language it's the CPU instruction pipeline. On your old 8 bit computer it would take 4 ticks to fetch the instruction, fetch the arguments, do the calculation, store the result. Then we got a pipeline where each tick you would do all 4 things, fetch instruction 4, get the arguments for instruction 3, do the calculation for instruction 2 and store the result of the instruction 1. Over the years pipelines got longer and more complex. An inefficiency in pipelines occurs when you do a branch, then have to wait for the pipeline to fill. The solution to this is to fetch both instructions and speculatively do both until you know which way the branch went. Unfortunately there were two security problems with this. Intel wasn't checking if you had permission to gather the arguments until after they were fetched and second some effects of following the branch that wasn't taken could be seen by the branch that was. So the trick was to get the speculative branch, the one your code won't take in the end, to fetch something you shouldn't have access to and then in the other branch look at that data.

    It is actually very easy to exploit Meltdown and Spectre in assembly and C and much harder in JavaScript. However, my web browser doesn't regularly download and run binary files, it does regularly load JavaScript and automatically run it.

    1. Re:Not a language issue by Anonymous Coward · · Score: 0

      So the trick was to get the speculative branch, the one your code won't take in the end, to fetch something you shouldn't have access to and then in the other branch look at that data.

      OMG -- thanks. That's the FIRST understandable overview explanation I've heard. All of the rest are BAD something mumble EVIL mumble.

    2. Re:Not a language issue by craighansen · · Score: 1

      Unfortunately, even if it's "harder," it's still possible to exploit in JavaScript, and with development of portable assembly language variants, it'll be easier. And once written as POC, it's easy to deploy in a vast variety of contexts.

    3. Re:Not a language issue by complete+loony · · Score: 3, Informative

      Right, each of the variants use that same model; code that is executed speculatively, reads from memory. Your code can see some side effect, and work out what values are in that memory. To extend that simple description slightly to the currently known variants;

      Meltdown (CVE-2017-5754). Speculatively executed code can bypass features of Intel CPU's that would normally prevent you from reading the kernel memory of the operating system. The workaround to this problem required changes to how the kernel swaps from "user mode" to "kernel mode", making this process much slower.

      Spectre-V1 (CVE-2017-5753). Untrusted code, like JIT compiled Javascript, running inside the same process as trusted code, speculatively executes a read from an array that's out of bounds. This can read any memory that the trusted process can normally read. The linux kernel includes a JIT compiler, so you could use this flaw to read any memory from the kernel. A work-around for this is specific to each program that combines trusted and untrusted code and would probably make every read from an array slower.

      Spectre-V2 (CVE-2017-5715). This one is hard to explain in a simple way, but I'll try. For some types of assembly branch instructions, you can train the CPU into branching somewhere the program wouldn't normally go. You use this to trick a trusted program into speculatively reading it's own secrets from memory (which it does normally have permission to do). Then your program can see the effects of this execution. The trusted program could be any another program, the OS kernel, or even running in another VM. It just has to be running on the same physical CPU. A work-around can be built into every compiler, by avoiding using these assembly instructions in every trusted program.

      Note that you can combine Meltdown & Spectre-V1 so that Javascript can read from kernel memory. Lots of discussions of these issues have been very murky and confusing, often getting the specific details mixed up. Like which issue can be used to read from the kernel, and which of Intel and AMD is vulnerable.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    4. Re:Not a language issue by Agripa · · Score: 1

      The solution to this is to fetch both instructions and speculatively do both until you know which way the branch went.

      Speculative execution relies on the branch prediction to execute *one* of the paths after the branch. Eager execution executes both sides of the branch in which case branch prediction is not required. Only research processors use eager execution as it is incredibly inefficient compared to branch prediction which has gotten very good.

  30. Re: not buying any more new computers & gadget by Anonymous Coward · · Score: 0

    Exactly correct, because the 100% secure computer is TURNED OFF.

  31. Using code you don't understand by Anonymous Coward · · Score: 0

    I remember a professor for a machine language course ranting about unpredictable behavior by the MASM assembler, and thinking, gee, you were the person who made us use MASM in the first place instead of one of several different modern, well-supported open source assemblers. I guess he was trying to trying to communicate that a lot of ML programming work is keeping old crappy systems running. Either that, or MASM was what he knew.

    Getting back to the subject though, could it be that the way the CPUs actually run programs now has little to do with the assumptions that the programmer or the compiler is making? What is the use of running legacy code if it is a ticking time bomb, depending on the generation of the CPU and the version of the microcode? What's so great about backwards compatibility if the 4004 instruction set way of doing things doesn't have anything to do with reality?

  32. Re: not buying any more new computers & gadget by Anonymous Coward · · Score: 1

    I have a 100% secure computer. It's a paper and pencil, while i'm locked in a sealed room. 100% Turing complete, the problem is the processing speed is extremely slow, and has a high error rate..

  33. Re: not buying any more new computers & gadge by Anonymous Coward · · Score: 0

    Ryzen not even faster? Did I dream the Tom's Hardware review placing Ryzen as outright best gamer CPU?

  34. Re: not buying any more new computers & gadg by Anonymous Coward · · Score: 2, Informative

    AMD Ryzen 1700, the previous gen, has, 8 cores, 16 threads, 3+ ghz base, 4ghz burst. 65watts.
    It's not much faster than my 8120fx, but it has twice the threads for half the watts.

    So its 4x as fast per watt and fits in Tiny itx builds.

  35. Re: not buying any more new computers & gadget by Anonymous Coward · · Score: 1

    Back in the day, researchers from AMD and Intel would be Slashdot randoms. These days I doubt a Slashdot random could walk and chew gum at the same time.

  36. Turns out Brian Krzanich was right. *wink* by xxxLCxxx · · Score: 1

    Why don't we hear anything about him being prosecuted? I can't think of a more obvious case ...

  37. Re: not buying any more new computers & gadget by WallyL · · Score: 1

    the 100% percent secure computer is one that no one can access and no one knows where it is

    Oh, that one. I remember that one-- in Langley, VA!

  38. link? by Anonymous Coward · · Score: 0

    How about a useful link? Here you go:
    http://blog.frizk.net/2018/03/...