Here almost every store (carrier or retailer) will favour a specific manufacturer - it could be as simple as they commission that they make is higher for a given manufacturer because of incentives -- or it could just be what they are familiar with and are therefore more comfortable selling. Bias is normal and pretending it does not exist -- just makes you an easy target.
First, when pricing phones and doing comparisons -- include the total cost of ownership of each of those models. People often get hung up on a device costing $100 or $200 more as being 15% to 25% more. I am use to not having a plan in the country I am living in (and total cost is considerably less than my home country of Canada). Phones should typically last 4 years (even sell the phone and get a new one; or recycle it through the family) with being reasonably useful - so that is typically what I use for total cost. In Canada where the market is very costly this could mean over those 4 years you are spending $4,000 on a plan for that phone.... so if a phone costs $600 - your total cost of ownership is $4,600, or more. So in the end being cheap about the actual device is not saving a whole lot of money.
Most people usually have a strong preference (Android or iPhone) -- my case I prefer my iPhone. If you are an Android user I would probably give preference to a Pixel phone just because a lot of vendors are slow (at most) on updating the phone with the new version or security updates.
At this point you have probably narrowed down your choice - and you probably know what you use your phone for. If you use your phone alot and it is a very important device, just chose the best phone that you can buy at the time that suits your needs.
All sales people have their own preferences and unfortunately most are swayed by choices other than what the consumer is actually telling them (be it higher commission for a given supplier, or their own device preferences). If they sound like they are not making sense -- it is probably because they are not thinking of what your needs are.
1 If the patch is in software, in the OS, can't malicious code (e.g. after privilege escalation exploit) undo any OS patch and then go wild on other people's memory?
Basically yes, but you have to have another OS based exploit to piggyback on -- but in reality the privilege escalation by itself would probably be sufficient in itself - so the chip level one would more or less be overkill.
2 Does this also bypass Intel SGX isolation?
I don't think you would say bypass, but it would likely impact the security of SGX as well -- since your leaking kernel data into user spaces.
In this case the CPU cannot be patched. This defect is permanent, it can never be fixed in the current processors. When new processors come out (assuming the next gen uses the same socket -- a crap shoot) you could replace the CPU. The fix is for the OSes to basically compensate and work around the defects - which may have moderate to severe performance penalties depending on CPU and what you are doing. What Intel is saying is actually a lie, they are helping the OS or "bios" vendors basically duct tape over the defect and hide it. Intel has indicated the earliest you will see "patched" CPUs is the end of the year - which depending on the CPU - could be end of the year or end of the follow year if they follow any type of release cycle (likely to be next gen CPUs only). So updating your motherboard to the latest firmware and installing the latest version of the OS is all that you can do for now.
Oh, it is even later than that - since that is the photo I setup facebook with almost a decade ago. It is the same photo until I die... though I don't feel threatened at all... since there are always two guards at the gate to protect me:o
I am not aware of Linus hating Intel, he definitely hates the way Intel has tried to BS / Spin / deflect blame / avoid responsibility. If you appreciate companies that spend more time on BS / Spin / deflecting blame and avoiding responsibility rather than being transparent about their own failures and how THEY plan to address it... then Intel is the company for you (under this CEO anyways - we will see if he lasts).
ARM has been transparent, detailed and transparent about their failings (the lesser of the defects) and deserves respect for that.
Ask anyone involved - even whitehats - and you are likely to be told that the demand and renumeration for exploits on the open market is higher than it is for submitting it and expecting a bounty. You have state sponsors (some that are closer to mafia states) such as North Korea and Russia financing the finding of exploits. Your own government is also accumulating exploits - but the only time you see them used is when they are leaked - they are not typically submitted to companies - since they want to use them. You have major multinational criminal organizations that make significant amounts of their income through high tech attacks -- which can net billions in a single attack - making the cost of acquiring exploits a rounding error. You have thriving dark web marketplaces for selling these exploits. This industry dwarfs the whitehat industry considerably. Basically, there is more investment on monetizing exploits than there is discovering these exploits for ethical purposes.
The exploit is basically gathering information that could be used to completely invalidate security. Therefore by the time you know you have been compromised the vector that made the that possible would no longer need to be present.
Basically, by the time the world would have visibility - it would already be far too late (and it may be the case). We see the results, but not the attack vector... The odds of a whitehat finding any exploit first -- is probably much less than 50%.
And to be quite honest, that was not how I read Linus thing... Linus can be a wrap the contents of a valid issue in a bit of what some have termed a 'Hissy fit'/'tantrum'. The issue that he seems to have is not that there is a defect, not that it has to be patched in the kernel -- but that Intel's PR is on overdrive and gives no indication of taking responsibility... and not being open and transparent with regards to fixing it and timeline for those actions.
It is not the design / defect that I have lost respect for Intel, nor the technical competence of it's employees... My issue resides with the C-level's response to this defect that I have tot take issue with - and that is how I really read the email. ARM is not defect free, but the difference is that their response to it has been much more professional and transparent.
Being a software developer by trade, I am all to familiar that nothing is defect free... and defects are a part of the process.... the response and how these defects are handled is where you win or lose respect (assuming you are not totally incompetent and the software is not unusable).
BS. There are already proof of concepts that can be run and are in the hands of a select few for testing purposes. We have no idea if these exploits have been used - only that we have no visibility on it. The only real visibility we have is when a whitehat reports it, or when someone is caught. While personal computers are less impacted, the fact that the browsers will all also have to be patched since it can also be exploited through javascript... problematic.
The issue is that through using the exploits you can have access to things like passwords used in kernel code, certificates, etc. -- and that can get this through pilfering the cache -- which breaks the isolation between user applications and the operating system.... While already bad on a personal computer, it is horribly bad for shared hosting environments -- where some actor can get access to a common computing environment and attack from the inside.
The lack of acceptance of responsibility, the attempt to deflect responsibility; the lack of transparency on when/how the defect will be fixed. That is why Linus was right to tear a strip off of Intel.
ARM (and AMD) may be susceptible to the lesser of the two [evil] exploits... but the impact for that second one is considerably less than Meltdown (which is specific to Intel only). ARM has been very open and detailed with regards to the impact -- and gives every indication it is taking the issue seriously.
Intel on the other hand issued a totally bizarre PR spin. Trying to spin it as works as designed (which might be the case, but the design was flawed), trying to distract the public by using 'Look over there...' deflection technique. Then indicating that the earliest architectural change will be later this year (which by the way coincides with the beginning of the next generation release). Processors for one generation of chips tends to be phased in over a two year period - does this mean that they plan to continue selling defective CPUs for the next 2 and a half years?
On top of that the news that the [probably legal] sale share (after the news of the defect, but before it was made public) -- is at least optically horrible. An ethical CEO would have delayed the planned share sale until after the defect was public - and accepted the risk of holding onto the shares during that time. Not to mention selling 889,700 shares and keeping only the absolute minimum to remain CEO... 250,000 all at one time.... is also optically bad. I understand the need to diversify your investments, but he should only be selling at most 25% of his shares on an annual basis.
This all put together indicates to me that the current CEO should be fired.
There are areas of all Canadian Embassies where ALL phones (both personal and government) are banned and must be dropped off. All visitors cannot bring personal electronics in. Government officials that are not based at that embassy are not permitted to bring electronics in. If it is just now that the West Wing is implementing it -- then the US government is more lax about security than I thought.
My comment was in response to the original poster (you maybe) 'The class war is in full effect. Time you picked a side.'. The Marxist system was created out of basically a class war. At no point did the original post indicate it was socialism -- or for that matter communist.... but the revolution of Marxist type takeovers is more associated with class warfare where you had to 'choose a side'. Socialist countries can be democratic (real -- not just in name) and a democratic system is not about class warfare but about competing ideas and letting the people chose.
The Soviet Union was a Marxist 'Communism' country. Fidel Castro modelled Cuba after Marxist 'Communism' (his words). In many respects Fidel Castro is the ideological father of Venezuela's socialist system -- as such it is not a surprise nor a mistake that Venezuela has consistently moved in that direction. Soviet Union - failed, Cuba - not in great shape and has financial backers to keep it alive, Venezuela... basically a failed state, North Korea... basically a failed state. China has adopted capital markets and is more a one party rule dictatorship rather than what it was before which was modelled under the Marx doctrine.
Doing the same thing over and over again and expecting a different outcome is a pretty good definition of insanity.
The stock was about $43 a month ago, It is higher than October of last year when the defect was found when insider trading would have started...it is well within the trading range.
Large users of Xeon processors will likely get a deal on replacements and future purchases if they are significantly affected - but we won't be privy to it. BTW it won't be 30% overall, it will be 30% on some workloads -- so some jobs will be 30%, others may be 5%. The defect is not part of any specifications that I know of, Intel does not do those types of specifications - they do things like processor cores, bandwidth, clock rates, PCIe lanes, etc. As such the processor is still as per spec.
Stock price not moved, computers still computing... computers still susceptible to exploits.... so yes, it could be considered minor.
The only way this could be considered major is if it forced a recall of the chips affected, and for that to happen it has to affect the ability to use. A performance hit because operating systems need to be modified to make the system more secure -- only affects reputation to a little extent. If exploding Samsung phones cannot significantly hurt Samsung going forward; then a bug that will never be noticed by 98% of users... is minor.
The sale was more than likely schedule well in advance of that date - which would be before the defect was reported. As such he is not trading on insider information since he was not relying on any insider information. It doesn't necessary look good, and if he were interested in the optics of it -- he could have cancelled it... but it was not a requirement. The majority of his assets are likely Intel stock by the fact he gets paid in it - and financially it makes sense to diversify - especially with the renewed competition with AMD.
So lucky, bad optics, but nothing illegal.
Also, The stock price is actually at or above the price that it was in November...
Just having a good idea does not give you the right to prosper in the business-world, it is all about execution. It is a market economy and you have to have both an idea and are able to execute that idea better than anyone else that might think they can do better. The company with the idea first, does get a head start - but that is all that they are comes from an idea alone.
You are right that patents have almost no place in software (unless something is truly revolution - like a compression algorithm that through ingenuity is significantly better than all the rest - something that is not obvious).
You are making an assumption on the situation. What we know is that as far as the police knew they were rolling on a murder and hostage situation (hostage in danger of murder as well). We don't know if the potential hostage taker had his hands hidden, whether he made any sharp movements - basically we know nothing. We don't know if the officer followed procedure, or what he was responding to. To say that they just rolled up and shot the first person they saw is only showing your bias and not what was reported.
NAT does not provide any real network security, it actually prevents many security measures.
Consumer grade firewalls (most of them) built into the modems they get from their ISP -- are often almost useless when it comes to providing real security. Many of them don't even bother to force the administrator to have anything more than the default password.
By your argument -- you would be even happier if your ISP shares your IP address across many households (double NAT'd) -- which mine does.
The US government should facilitate the move from IPv4 to IPv6 by starting to tax or apply a fee for each IPv4 (with no IPv6 address) address in usage -- and increase that fee each year until it encourages the movement off of IPv4.
Slashdot Mirror
Here almost every store (carrier or retailer) will favour a specific manufacturer - it could be as simple as they commission that they make is higher for a given manufacturer because of incentives -- or it could just be what they are familiar with and are therefore more comfortable selling. Bias is normal and pretending it does not exist -- just makes you an easy target.
First, when pricing phones and doing comparisons -- include the total cost of ownership of each of those models. People often get hung up on a device costing $100 or $200 more as being 15% to 25% more. I am use to not having a plan in the country I am living in (and total cost is considerably less than my home country of Canada). Phones should typically last 4 years (even sell the phone and get a new one; or recycle it through the family) with being reasonably useful - so that is typically what I use for total cost. In Canada where the market is very costly this could mean over those 4 years you are spending $4,000 on a plan for that phone.... so if a phone costs $600 - your total cost of ownership is $4,600, or more. So in the end being cheap about the actual device is not saving a whole lot of money.
Most people usually have a strong preference (Android or iPhone) -- my case I prefer my iPhone. If you are an Android user I would probably give preference to a Pixel phone just because a lot of vendors are slow (at most) on updating the phone with the new version or security updates.
At this point you have probably narrowed down your choice - and you probably know what you use your phone for. If you use your phone alot and it is a very important device, just chose the best phone that you can buy at the time that suits your needs.
All sales people have their own preferences and unfortunately most are swayed by choices other than what the consumer is actually telling them (be it higher commission for a given supplier, or their own device preferences). If they sound like they are not making sense -- it is probably because they are not thinking of what your needs are.
1 If the patch is in software, in the OS, can't malicious code (e.g. after privilege escalation exploit) undo any OS patch and then go wild on other people's memory? Basically yes, but you have to have another OS based exploit to piggyback on -- but in reality the privilege escalation by itself would probably be sufficient in itself - so the chip level one would more or less be overkill. 2 Does this also bypass Intel SGX isolation? I don't think you would say bypass, but it would likely impact the security of SGX as well -- since your leaking kernel data into user spaces.
In this case the CPU cannot be patched. This defect is permanent, it can never be fixed in the current processors. When new processors come out (assuming the next gen uses the same socket -- a crap shoot) you could replace the CPU. The fix is for the OSes to basically compensate and work around the defects - which may have moderate to severe performance penalties depending on CPU and what you are doing. What Intel is saying is actually a lie, they are helping the OS or "bios" vendors basically duct tape over the defect and hide it. Intel has indicated the earliest you will see "patched" CPUs is the end of the year - which depending on the CPU - could be end of the year or end of the follow year if they follow any type of release cycle (likely to be next gen CPUs only). So updating your motherboard to the latest firmware and installing the latest version of the OS is all that you can do for now.
Oh, it is even later than that - since that is the photo I setup facebook with almost a decade ago. It is the same photo until I die... though I don't feel threatened at all... since there are always two guards at the gate to protect me :o
The Linux kernel development is transparent - you can go see every issue that is logged and needs to be fixed. next.
oops, transparent was duplicated
I am not aware of Linus hating Intel, he definitely hates the way Intel has tried to BS / Spin / deflect blame / avoid responsibility. If you appreciate companies that spend more time on BS / Spin / deflecting blame and avoiding responsibility rather than being transparent about their own failures and how THEY plan to address it... then Intel is the company for you (under this CEO anyways - we will see if he lasts).
ARM has been transparent, detailed and transparent about their failings (the lesser of the defects) and deserves respect for that.
Ask anyone involved - even whitehats - and you are likely to be told that the demand and renumeration for exploits on the open market is higher than it is for submitting it and expecting a bounty. You have state sponsors (some that are closer to mafia states) such as North Korea and Russia financing the finding of exploits. Your own government is also accumulating exploits - but the only time you see them used is when they are leaked - they are not typically submitted to companies - since they want to use them. You have major multinational criminal organizations that make significant amounts of their income through high tech attacks -- which can net billions in a single attack - making the cost of acquiring exploits a rounding error. You have thriving dark web marketplaces for selling these exploits. This industry dwarfs the whitehat industry considerably. Basically, there is more investment on monetizing exploits than there is discovering these exploits for ethical purposes.
The exploit is basically gathering information that could be used to completely invalidate security. Therefore by the time you know you have been compromised the vector that made the that possible would no longer need to be present.
Basically, by the time the world would have visibility - it would already be far too late (and it may be the case). We see the results, but not the attack vector... The odds of a whitehat finding any exploit first -- is probably much less than 50%.
And to be quite honest, that was not how I read Linus thing... Linus can be a wrap the contents of a valid issue in a bit of what some have termed a 'Hissy fit'/'tantrum'. The issue that he seems to have is not that there is a defect, not that it has to be patched in the kernel -- but that Intel's PR is on overdrive and gives no indication of taking responsibility... and not being open and transparent with regards to fixing it and timeline for those actions.
It is not the design / defect that I have lost respect for Intel, nor the technical competence of it's employees... My issue resides with the C-level's response to this defect that I have tot take issue with - and that is how I really read the email. ARM is not defect free, but the difference is that their response to it has been much more professional and transparent.
Being a software developer by trade, I am all to familiar that nothing is defect free... and defects are a part of the process.... the response and how these defects are handled is where you win or lose respect (assuming you are not totally incompetent and the software is not unusable).
BS. There are already proof of concepts that can be run and are in the hands of a select few for testing purposes. We have no idea if these exploits have been used - only that we have no visibility on it. The only real visibility we have is when a whitehat reports it, or when someone is caught. While personal computers are less impacted, the fact that the browsers will all also have to be patched since it can also be exploited through javascript... problematic.
The issue is that through using the exploits you can have access to things like passwords used in kernel code, certificates, etc. -- and that can get this through pilfering the cache -- which breaks the isolation between user applications and the operating system.... While already bad on a personal computer, it is horribly bad for shared hosting environments -- where some actor can get access to a common computing environment and attack from the inside.
Most CPU defects can be patched. This one cannot.
The lack of acceptance of responsibility, the attempt to deflect responsibility; the lack of transparency on when/how the defect will be fixed. That is why Linus was right to tear a strip off of Intel.
ARM (and AMD) may be susceptible to the lesser of the two [evil] exploits... but the impact for that second one is considerably less than Meltdown (which is specific to Intel only). ARM has been very open and detailed with regards to the impact -- and gives every indication it is taking the issue seriously.
... 250,000 all at one time.... is also optically bad. I understand the need to diversify your investments, but he should only be selling at most 25% of his shares on an annual basis.
Intel on the other hand issued a totally bizarre PR spin. Trying to spin it as works as designed (which might be the case, but the design was flawed), trying to distract the public by using 'Look over there...' deflection technique. Then indicating that the earliest architectural change will be later this year (which by the way coincides with the beginning of the next generation release). Processors for one generation of chips tends to be phased in over a two year period - does this mean that they plan to continue selling defective CPUs for the next 2 and a half years?
On top of that the news that the [probably legal] sale share (after the news of the defect, but before it was made public) -- is at least optically horrible. An ethical CEO would have delayed the planned share sale until after the defect was public - and accepted the risk of holding onto the shares during that time. Not to mention selling 889,700 shares and keeping only the absolute minimum to remain CEO
This all put together indicates to me that the current CEO should be fired.
There are areas of all Canadian Embassies where ALL phones (both personal and government) are banned and must be dropped off. All visitors cannot bring personal electronics in. Government officials that are not based at that embassy are not permitted to bring electronics in. If it is just now that the West Wing is implementing it -- then the US government is more lax about security than I thought.
My comment was in response to the original poster (you maybe) 'The class war is in full effect. Time you picked a side.'. The Marxist system was created out of basically a class war. At no point did the original post indicate it was socialism -- or for that matter communist.... but the revolution of Marxist type takeovers is more associated with class warfare where you had to 'choose a side'. Socialist countries can be democratic (real -- not just in name) and a democratic system is not about class warfare but about competing ideas and letting the people chose.
... basically a failed state, North Korea... basically a failed state. China has adopted capital markets and is more a one party rule dictatorship rather than what it was before which was modelled under the Marx doctrine.
The Soviet Union was a Marxist 'Communism' country. Fidel Castro modelled Cuba after Marxist 'Communism' (his words). In many respects Fidel Castro is the ideological father of Venezuela's socialist system -- as such it is not a surprise nor a mistake that Venezuela has consistently moved in that direction. Soviet Union - failed, Cuba - not in great shape and has financial backers to keep it alive, Venezuela
Doing the same thing over and over again and expecting a different outcome is a pretty good definition of insanity.
The stock was about $43 a month ago, It is higher than October of last year when the defect was found when insider trading would have started...it is well within the trading range.
Large users of Xeon processors will likely get a deal on replacements and future purchases if they are significantly affected - but we won't be privy to it. BTW it won't be 30% overall, it will be 30% on some workloads -- so some jobs will be 30%, others may be 5%. The defect is not part of any specifications that I know of, Intel does not do those types of specifications - they do things like processor cores, bandwidth, clock rates, PCIe lanes, etc. As such the processor is still as per spec.
Stock price not moved, computers still computing... computers still susceptible to exploits.... so yes, it could be considered minor.
The only way this could be considered major is if it forced a recall of the chips affected, and for that to happen it has to affect the ability to use. A performance hit because operating systems need to be modified to make the system more secure -- only affects reputation to a little extent. If exploding Samsung phones cannot significantly hurt Samsung going forward; then a bug that will never be noticed by 98% of users... is minor.
Even in the Soviet Union there are always classes - you had the ruling class and everyone else typically.
So yes, less people with wealth but far far more poor people that had to line up for hours on end waiting for food.
Maybe you should just move to Venezuela...
The sale was more than likely schedule well in advance of that date - which would be before the defect was reported. As such he is not trading on insider information since he was not relying on any insider information. It doesn't necessary look good, and if he were interested in the optics of it -- he could have cancelled it... but it was not a requirement. The majority of his assets are likely Intel stock by the fact he gets paid in it - and financially it makes sense to diversify - especially with the renewed competition with AMD.
So lucky, bad optics, but nothing illegal.
Also, The stock price is actually at or above the price that it was in November...
Just having a good idea does not give you the right to prosper in the business-world, it is all about execution. It is a market economy and you have to have both an idea and are able to execute that idea better than anyone else that might think they can do better. The company with the idea first, does get a head start - but that is all that they are comes from an idea alone.
You are right that patents have almost no place in software (unless something is truly revolution - like a compression algorithm that through ingenuity is significantly better than all the rest - something that is not obvious).
Let the markets decide.
You are making an assumption on the situation. What we know is that as far as the police knew they were rolling on a murder and hostage situation (hostage in danger of murder as well). We don't know if the potential hostage taker had his hands hidden, whether he made any sharp movements - basically we know nothing. We don't know if the officer followed procedure, or what he was responding to. To say that they just rolled up and shot the first person they saw is only showing your bias and not what was reported.
Stateful Firewalls Provide Security (Not NAT)
NAT does not provide any real network security, it actually prevents many security measures.
Consumer grade firewalls (most of them) built into the modems they get from their ISP -- are often almost useless when it comes to providing real security. Many of them don't even bother to force the administrator to have anything more than the default password.
By your argument -- you would be even happier if your ISP shares your IP address across many households (double NAT'd) -- which mine does.
The US government should facilitate the move from IPv4 to IPv6 by starting to tax or apply a fee for each IPv4 (with no IPv6 address) address in usage -- and increase that fee each year until it encourages the movement off of IPv4.
As well as the vast majority of the internet and other servers use Linux. It might be deadish on the desktop but not on servers.