In the case of FDIV, one could point to the IEEE floating point specification (and a hand-calculator) and show that the Intel processor produced a verifiably wrong answer to a divide operation.
There is an explicit set of rules (called this instruction set architecture or ISA) which govern exactly how a given computer is allowed to behave, and the CPU vendors all produced chips which follow those rules.
The ISA says that the memory returned by a load operation is subject to the permissions as setup through the virtual memory protocol, it provides no protection to a malicious person inferring the secret through some other means. They would never provide such a guarantee because there is no known solution to the general problem of 'side-channel communication'.
So, if Intel was looking for a legal solution to avoid paying for a recall--all they have to do is say, "you wanted an x86 ISA chip, that's what you got. caveat emptor". You can't claim they even violated "fitness for a purpose" constraints (in jurisdictions where those protections apply) because these chips are perfectly fit for the purpose of running non-malicious code--and there is basically no known theoretical solution which guarantees containment of malicious code (apart from wiping all implementation state when switching between different threads or something).
Now in practice, Intel (and the other affected manufacturers) are going to do better than throwing their hands up and saying "it's your problem", because there is free market pressure to do so. But they are most likely on firm legal ground in avoiding any sort of massive recall.
> Security is like virginity: indivisible. You can't be "just a little bit insecure".
This is the most false statement I have ever heard on/., and that's saying something. There is NO such thing as perfect security. All you can do is raise the cost, time, & effort required to defeat the security measures. This is true for every kind of security that has ever existed in the history of mankind.
> Note that the remedies for Meltdown will more than wipe out the performance gains obtained by the ill-advised speculative execution.
You really have no idea what you're talking about. Turn off OoO execution and performance slows down dramatically. Turn on KPTI and performance slows down negligibly.
It's clear you don't understand computer architecture, engineering, or basic security principles.
Why would it need to clear the cache? It should just need to purge the TLB on transitions from kernel -> user. I think maybe you don't understand what the patch does.
I couldn't care less about gamers. Neither does the rest of the world. Grow up.
This was not Intel knowingly cutting corners. The amount of verification that goes into building a CPU is mind-boggling. There are dozens of layers of constrained-random verification, formal verification, electrical verification, performance verification. The techniques used are decades beyond the types of QA testing that most people on this forum are familiar with.
This is just not an attack-vector that computer architects are used to reasoning about. For the most part, the security isolation story is based on keeping architected state separate--caches are supposed to be architecturally invisible so you don't think of them as being an attack-vector. You certainly don't think of the measurable access latency through the cache hierarchy as being part of the attack surface; classically when we're reasoning about process isolation we aren't thinking about timing at all.
The exploit here relies on measuring the latency to access some piece of data that you have permissions to, and using that to infer the value of a piece of data that you don't have permissions to--it turns out the two are connected due to the way exceptions are handled during speculative execution. It slipped through the cracks. Mistakes happen.
You're well within your rights to complain about how Intel is reacting to the bug--but it is absurd to claim that they "knowlingly cut corners". I have no way of knowing, but my guess is that you churn out buggy Javascript for a living--which makes your 'holier than thou' attitude even more misplaced.
AFAIK the kernel software workaround (called KPTI in Linux) makes it impossible to exploit the Meltdown hole (i.e. variant #3 from Project Zero). There's some performance cost but Google has measured the cost as negligible on real workloads. I'm running with a similar patch in OS X and I can't tell any difference.
It doesn't matter if the original bug is in the HW or not, so long as there is a workaround at some layer (firmware, kernel, etc.). You are beyond naive if you think this is the first time a HW bug has been masked by SW--it happens all the time. Usually the workaround is buried in a driver or firmware and you never hear about it.
Based on my understanding the specific Meltdown hole can be plugged with KPTI. It's really just a matter of removing the kernel TLB entries whenever executing user code.
because of engineers who think the right solution to every problem is to pop up a non-intuitive message and ask non-technical users to make a confusing choice.
In this case Apple erred in the other direction. The right compromise is to add some non-invasive info in the Settings->Battery section about the diminished battery capacity and its effect on performance.
Why do we treat smell as though it's some sort of metaphysical sixth sense that cannot be replicated by something man-made?
Dogs can do amazing things, but they have approximately the same attention-span and cognitive function as a 2 year-old human--so maybe let's not trust cancer diagnosis to them.
I missed your comment the first time through, on the off chance you notice this I'll respond now.
I actually agree with you that it's really annoying to hear about "white privilege" and "toxic masculinity". I think some people are too eager to assign blame to white males for females or certain minorities being underrepresented, and the science & common sense don't justify that theory. For example, it doesn't explain why male & female Asian Americans [including Indians] are overrepresented in tech (relative to their percentage of the general population). It would take a really specific form of racism and misogyny to explain why white people are okay with an Indian woman in tech but not a white one, or why they're okay with a Chinese guy but not a Hispanic guy
That said, the fact that there is some nonsense on one side of an issue doesn't excuse nonsense on the other side. James Damore's manifesto is psuedo-science bullshit. You can read similar treatises from 50 or 100 or 500 years ago explaining why some group of humans are "genetically predisposed to different kinds of work". They also made an effort to sound really sciency, and if you read them today it would turn your stomach.
It's a miracle that science advanced as far as it did before we had computer programmers who have the unique ability to push the frontiers of every scientific field.
You're basically saying that software engineers have done a thorough review of neurobiology and have determined that this entire field is operating in an unscientific way. The only hope for advancement in the field of neurobiology is C++ hackers posting psuedo-sciency bullshit on internal company forums.
because there is insufficient or conflicting data. The scientific consensus [as I understand it] amongst neurobiologists is overwhelmingly that race & sex are not predictive traits for knowledge worker performance; and there's no neuro-biological explanation that leads us to any such conclusions..
Amongst sociologists, on the other hand, there is an overwhelming consensus that economic & cultural factors have a huge impact on how demographic categories are sorted into professions
So, if you're asking me what I believe, I'd say that 'cultural factors' are the most-likely explanation for why some demographic categories are under-represented or over-represented. That doesn't mean I believe it is due to direct racism or misogyny from tech companies, either, BTW; because that theory struggles to explain why male of Asian descent are over-represented in tech relative to their population, and why Asian females enter tech at higher rates than white females.
My bullshit meter went off as soon as I realized that the author was writing about neurobiology, he was presenting opinions that are clearly in the minority [in fact virtually non-existent] among experts in that field, but rather than presenting his 'research' to neurobiologists he was presenting them to software engineers.
If I have a problem with the standard template library I don't go post a manifesto to a chemistry forum.
Your premise is wrong. If it had been a real scholarly work (i.e., not psuedo-sciene bullshit) and presented in the right forum (e.g. a journal of neuro-biology), then he wouldn't have been fired. Trying to make something sound sciency doesn't give you free license to slander demographic groups while at work. What if he wrote that Jewish people were bad at solo programming? or African-Americans? Would you be so enthusiastically in favor of his right to provide "alternative viewpoints" at work?
No, he was slandering women, and apparently you are totally cool with that.
Slashdot Mirror
In the case of FDIV, one could point to the IEEE floating point specification (and a hand-calculator) and show that the Intel processor produced a verifiably wrong answer to a divide operation.
There is an explicit set of rules (called this instruction set architecture or ISA) which govern exactly how a given computer is allowed to behave, and the CPU vendors all produced chips which follow those rules.
The ISA says that the memory returned by a load operation is subject to the permissions as setup through the virtual memory protocol, it provides no protection to a malicious person inferring the secret through some other means. They would never provide such a guarantee because there is no known solution to the general problem of 'side-channel communication'.
So, if Intel was looking for a legal solution to avoid paying for a recall--all they have to do is say, "you wanted an x86 ISA chip, that's what you got. caveat emptor". You can't claim they even violated "fitness for a purpose" constraints (in jurisdictions where those protections apply) because these chips are perfectly fit for the purpose of running non-malicious code--and there is basically no known theoretical solution which guarantees containment of malicious code (apart from wiping all implementation state when switching between different threads or something).
Now in practice, Intel (and the other affected manufacturers) are going to do better than throwing their hands up and saying "it's your problem", because there is free market pressure to do so. But they are most likely on firm legal ground in avoiding any sort of massive recall.
> Security is like virginity: indivisible. You can't be "just a little bit insecure".
/., and that's saying something. There is NO such thing as perfect security. All you can do is raise the cost, time, & effort required to defeat the security measures. This is true for every kind of security that has ever existed in the history of mankind.
This is the most false statement I have ever heard on
> Note that the remedies for Meltdown will more than wipe out the performance gains obtained by the ill-advised speculative execution.
You really have no idea what you're talking about. Turn off OoO execution and performance slows down dramatically. Turn on KPTI and performance slows down negligibly.
It's clear you don't understand computer architecture, engineering, or basic security principles.
Why would it need to clear the cache? It should just need to purge the TLB on transitions from kernel -> user. I think maybe you don't understand what the patch does.
I couldn't care less about gamers. Neither does the rest of the world. Grow up.
This was not Intel knowingly cutting corners. The amount of verification that goes into building a CPU is mind-boggling. There are dozens of layers of constrained-random verification, formal verification, electrical verification, performance verification. The techniques used are decades beyond the types of QA testing that most people on this forum are familiar with.
This is just not an attack-vector that computer architects are used to reasoning about. For the most part, the security isolation story is based on keeping architected state separate--caches are supposed to be architecturally invisible so you don't think of them as being an attack-vector. You certainly don't think of the measurable access latency through the cache hierarchy as being part of the attack surface; classically when we're reasoning about process isolation we aren't thinking about timing at all.
The exploit here relies on measuring the latency to access some piece of data that you have permissions to, and using that to infer the value of a piece of data that you don't have permissions to--it turns out the two are connected due to the way exceptions are handled during speculative execution. It slipped through the cracks. Mistakes happen.
You're well within your rights to complain about how Intel is reacting to the bug--but it is absurd to claim that they "knowlingly cut corners". I have no way of knowing, but my guess is that you churn out buggy Javascript for a living--which makes your 'holier than thou' attitude even more misplaced.
AFAIK the kernel software workaround (called KPTI in Linux) makes it impossible to exploit the Meltdown hole (i.e. variant #3 from Project Zero). There's some performance cost but Google has measured the cost as negligible on real workloads. I'm running with a similar patch in OS X and I can't tell any difference.
It doesn't matter if the original bug is in the HW or not, so long as there is a workaround at some layer (firmware, kernel, etc.). You are beyond naive if you think this is the first time a HW bug has been masked by SW--it happens all the time. Usually the workaround is buried in a driver or firmware and you never hear about it.
Based on my understanding the specific Meltdown hole can be plugged with KPTI. It's really just a matter of removing the kernel TLB entries whenever executing user code.
nt
because of engineers who think the right solution to every problem is to pop up a non-intuitive message and ask non-technical users to make a confusing choice.
In this case Apple erred in the other direction. The right compromise is to add some non-invasive info in the Settings->Battery section about the diminished battery capacity and its effect on performance.
that rules out most of the /.'s audience.
Why do we treat smell as though it's some sort of metaphysical sixth sense that cannot be replicated by something man-made?
Dogs can do amazing things, but they have approximately the same attention-span and cognitive function as a 2 year-old human--so maybe let's not trust cancer diagnosis to them.
How many trillion $ did we spend on the gulf wars?
So you only hate certain subsidies.
you can do things in any order you want. Oh, that's right, you're irrelevant. I forgot.
In that case, please enjoy criticizing relevant people on the internet.
...waiting....
Hillary Clinton Gave 20 Percent of United States' Uranium to Russia in Exchange for Clinton Foundation Donations?
"I like A, I don't understand why other people like B" - Every slashdot post for the past 20 years
I missed your comment the first time through, on the off chance you notice this I'll respond now.
I actually agree with you that it's really annoying to hear about "white privilege" and "toxic masculinity". I think some people are too eager to assign blame to white males for females or certain minorities being underrepresented, and the science & common sense don't justify that theory. For example, it doesn't explain why male & female Asian Americans [including Indians] are overrepresented in tech (relative to their percentage of the general population). It would take a really specific form of racism and misogyny to explain why white people are okay with an Indian woman in tech but not a white one, or why they're okay with a Chinese guy but not a Hispanic guy
That said, the fact that there is some nonsense on one side of an issue doesn't excuse nonsense on the other side. James Damore's manifesto is psuedo-science bullshit. You can read similar treatises from 50 or 100 or 500 years ago explaining why some group of humans are "genetically predisposed to different kinds of work". They also made an effort to sound really sciency, and if you read them today it would turn your stomach.
and he was teaching us all that women are genetically inferior then he would be a hero here. The /. crowd is very flexible on its fealty to science.
Disable Hey Siri
It's a miracle that science advanced as far as it did before we had computer programmers who have the unique ability to push the frontiers of every scientific field.
then that must represent scientific consensus of the entire field. Also there's no such thing as climate change and the Earth is flat.
I'm not following. You're simply pointing out that there are some crazy people on both sides? Agreed.
You're basically saying that software engineers have done a thorough review of neurobiology and have determined that this entire field is operating in an unscientific way. The only hope for advancement in the field of neurobiology is C++ hackers posting psuedo-sciency bullshit on internal company forums.
because there is insufficient or conflicting data. The scientific consensus [as I understand it] amongst neurobiologists is overwhelmingly that race & sex are not predictive traits for knowledge worker performance; and there's no neuro-biological explanation that leads us to any such conclusions..
Amongst sociologists, on the other hand, there is an overwhelming consensus that economic & cultural factors have a huge impact on how demographic categories are sorted into professions
So, if you're asking me what I believe, I'd say that 'cultural factors' are the most-likely explanation for why some demographic categories are under-represented or over-represented. That doesn't mean I believe it is due to direct racism or misogyny from tech companies, either, BTW; because that theory struggles to explain why male of Asian descent are over-represented in tech relative to their population, and why Asian females enter tech at higher rates than white females.
My bullshit meter went off as soon as I realized that the author was writing about neurobiology, he was presenting opinions that are clearly in the minority [in fact virtually non-existent] among experts in that field, but rather than presenting his 'research' to neurobiologists he was presenting them to software engineers.
If I have a problem with the standard template library I don't go post a manifesto to a chemistry forum.
Your premise is wrong. If it had been a real scholarly work (i.e., not psuedo-sciene bullshit) and presented in the right forum (e.g. a journal of neuro-biology), then he wouldn't have been fired. Trying to make something sound sciency doesn't give you free license to slander demographic groups while at work. What if he wrote that Jewish people were bad at solo programming? or African-Americans? Would you be so enthusiastically in favor of his right to provide "alternative viewpoints" at work?
No, he was slandering women, and apparently you are totally cool with that.