According to Conventional Wisdom(TM) Meltdown and Spectre are MUCH worse, leading to patchy BIOS updates, BSODs and varying levels of performance loss. Perhaps a dose of perspective, which this helps bring to the table, is in order - finally.
From the very beginning, I've tried to get everyone to pause the Panic Parade, but nnnnnooooooo. To try to address probably the most complex vulnerability yet discovered (it took over 20 YEARS for this to be found) that also requires you to already be running malware on your system, people are flashing new BIOSes, patching kernels and generally behaving like idiots. Slow FT down, folks! Let the CPU and OS experts have a real shot at minimizing the risk, without killing our production systems, FFS!!
As a certifiable Old Fart(TM), I remember all too well the bizarre days of the UNIX wars. AIX had a great admin tool called SMIT; SCO had a great channel for feeding the SMBs that developed the cool applications to other SMBs; Solaris ruled telecom and other HA realms; etc. There was NO "UNIX API" as MS had, hence their subsequent success. And no one shared a god-damned thing. Device drivers, admin tools - you name it. Each KNEW that their way would bring consolidation, failing to recognize the fundamental flaw built-in to that thought. Enter GNU/Linux. Yes, I put them together for a reason - neither could exist without the other. I made this point to the first Intel Linux Conference at the mothership and glad to see the prophecy fulfilled. The world is a much, much better place because of GNU/Linux!
Congratulations on a well-reasoned response - too rare on/. these days... Specific to Meltdown (what really requires kernel patches that do affect performance), after having read all of the papers, I cannot imagine a scenario whereby malware (which - Yes! - does need to be running on the system) would be written to use such a bizarre technique when a simple PE would allow me to access, say,/proc/kcore much more easily....
I worked at Intel and - sure - you can talk about employment policies during the appropriate venue. However, there is a stronger policy called "disagree and commit". Means just what it says: you may disagree, but at the end of the day you will adhere to policy or leave.
OK, just who is being discriminated against due to gender or race? Everything that I've seen shows that he was fired for being an asshole. I sure hope THAT never becomes a Protected Class, else we're all screwed even more than now.
Sure, he did bad-mouth the company in his email. I've worked in large companies with diversity training, etc. and they always prompt open discussions, etc. Once it's done, though, you are expect to adhere to policy or leave. Your call. If you feel they've done anything illegal, there are many, many avenues for redress beyond whining on social media. Looks like he's trying that...now.
I tried - despite down-mods - to warn everyone here that over-reacting to this issue would be a big problem, but nnnnnoooooo. We all had to jump on the Panic Train before it got too crowded. To address a vulnerability that A) requires you to be running malware anyway (specific to Meltdown) and B) is excruciatingly difficult to make work (it took over 20 YEARS to find it!!) and C) is lost in the swarm of thousands of known, easy-to-implement malware, people are ready to brick their systems, suffer XX% performance loss and God knows what next just shows that all sense of perspective has been lost to hype and hysteria. Sad!(TM)
From the suit: "employees who expressed views deviating from the majority view at Google on political subjects raised in the workplace and relevant to Google's employment policies and its business, such as 'diversity' hiring policies, 'bias sensitivity,' or 'social justice,' were/are singled out, mistreated, and systematically punished and terminated from Google, in violation of their legal rights." So, Google has internal policies to, say, promote "diversity" and this a-hole doesn't like it, raises a big stink causing huge PR problems for Google just so he can claim his SJW cred and we're supposed to feel sorry for him? No. Any employees of mine who went around bad-mouthing my company would find themselves out of a job pretty god-damned quickly. And, NO - there is no law preventing an employer from firing someone for being an asshole.
Is it technically possible? Sure, there are already open-source core designs available. All you have to do is come up with the hundreds of thousands of engineers, designers, and manufacturing experts, replicate about 40 years of legacy toolchains from basic compilers to OSes, languages and frameworks, add in a smidgen of semi-conductor factories, testing facilities and packaging support. Oh! Did I mention sales and marketing? Go right-da-fuck ahead!
"The issue is that through using the exploits you can have access to things like passwords used in kernel code, certificates, etc." I'm gonna throw the BS Flag here. First, on Linux anyway, things like authentication and certificates are handled by other apps, some of which may access syscalls of course, but to repeat - as SO many do - that passwords are part of kernel code is nonsense. Please do not regurgitate BS!
Also, keep fucking malware off of your system and you won't be at risk!!!
"Oh! Is THIS ARM chip vulnerable? Oh, NNNNNOOOO...." Everyone seems to have lost perspective here. 1) In order for you to be "vulnerable", you must be running some kind of malware. If you're running malware, you are already fucked with a sand-paper dildo. 2) Given #1, coupled with the astounding number/variety of destructive forms of malware extant, it is ludicrous to give more than a nano-second's consideration (as a basic user or admin) to this. 3) Does anyone have any idea of how difficult it is to leverage this particular vulnerability to do something useful? Especially given #2 above. Crikey - the Panic Parade(TM) must go on, I guess.
It's not "brushing off", it's perspective. A) You must already have malware for this to be able to run at all. B) Given how effective "standard" malware is (Ransomware) and C) how exponentially more difficult to implement this vector is.... I'm looking for a reason to take a 30%+ perf hit to guard against this most edgiest of edge cases.
Actually, I've been knowledgeable about CPUs since the days when I was doing chip-level repair on DG Nova III CPU boards but...whatever. You still have not explained even a tiny bit how having malware on your system (necessary for this to be of any impact at all) is OK, but if that malware can read kmem...HORROR! Did any of the ransomware or anything else which has killed tens of thousands of systems read kmem? No.
Seriously - anyone who knows enough should know that this bug (being able to read tiny amounts of kmem ONLY during a specific sequence of speculative instructions; bad but hardly an open port) requires: malware to already be running on your system (in which case you are already screwed); that malware to be so perfectly crafted to not only read tiny amounts of kmem data via specific instruction sequences but then expand that tiny amount of info into some (magical?) process for gathering passwords, crypto-keys, etc. (none of which are stored in kmem anyway, but why spoil the panic parade?) and then spreading to other computers on your network. Show me a real POC, then we can panic. FFS!
That is complete and total bullshit. Where I live the existing copper plant was built out over decades using USF fees. Windstream, then came in and bought the previous carrier and - throughout - there remained only the one ISP who regularly goes down for a day at a time. How could anyone compete against that? Ideally, the legislature would require monopoly ISPs, especially those whose plant was built out using USF funds, to allow competitive ISPs to co-locate in their POPs. Course with all of the "gubment sux" mentality roiling around, getting anything truly constructive done is unlikely to happen.
As a former SE (FAE in Intel-speak) for several companies, I'd also like to say that the underlying organization behind the SE is more important. Sure, a great SE can beat his head against the wall to no avail to the customer, but a great organization that really supports their SEs when they try to be "the voice of the customer" is really rare. Intel did it better than any other org I've worked with, but even they failed sometimes. Those danged customers kept having their OWN needs, dammit!!
I'm laughing my ass off. I've never owned or traded any BTC as I never saw any underlying value - just the premise that scarcity in and of itself would == ${SOME_KIND_OF_VALUE} for some bla-bla reason. Now, gold and diamonds - iffy though their ultimate underlying "value" may be - have the undeniable advantage of being A) tangible at least and B) worthwhile as something else (jewellery, etc.) in the meantime irrespective of their "it's GOTTA go higher from here!!" mentality. PS - I have no gold or diamonds either.
Let's see: company (Tesla) has more need for materials furnished by a partner company(Panasonic), so orders more and partner company supplies the extra materials. Other companies WITHOUT existing supply contracts whine about being unable to buy batteries from partner company. Isn't this at some level how basic capitalism works? It's not like there aren't other battery suppliers and - yes! - demand is skyrocketing. Welcome to the real world.
Slashdot Mirror
According to Conventional Wisdom(TM) Meltdown and Spectre are MUCH worse, leading to patchy BIOS updates, BSODs and varying levels of performance loss. Perhaps a dose of perspective, which this helps bring to the table, is in order - finally.
From the very beginning, I've tried to get everyone to pause the Panic Parade, but nnnnnooooooo. To try to address probably the most complex vulnerability yet discovered (it took over 20 YEARS for this to be found) that also requires you to already be running malware on your system, people are flashing new BIOSes, patching kernels and generally behaving like idiots. Slow FT down, folks! Let the CPU and OS experts have a real shot at minimizing the risk, without killing our production systems, FFS!!
Bullshit! Did POSIX address Universal Printer Drivers? Display Drivers? 100% Organic, Dolphin-Free Bullshit!
As a certifiable Old Fart(TM), I remember all too well the bizarre days of the UNIX wars. AIX had a great admin tool called SMIT; SCO had a great channel for feeding the SMBs that developed the cool applications to other SMBs; Solaris ruled telecom and other HA realms; etc. There was NO "UNIX API" as MS had, hence their subsequent success. And no one shared a god-damned thing. Device drivers, admin tools - you name it. Each KNEW that their way would bring consolidation, failing to recognize the fundamental flaw built-in to that thought. Enter GNU/Linux. Yes, I put them together for a reason - neither could exist without the other. I made this point to the first Intel Linux Conference at the mothership and glad to see the prophecy fulfilled. The world is a much, much better place because of GNU/Linux!
You bastard! If you weren't posting as AC I'd burn every Funny mod point I have!
You're 5-digit, mate - you get a pass. :-)
Congratulations on a well-reasoned response - too rare on /. these days... Specific to Meltdown (what really requires kernel patches that do affect performance), after having read all of the papers, I cannot imagine a scenario whereby malware (which - Yes! - does need to be running on the system) would be written to use such a bizarre technique when a simple PE would allow me to access, say, /proc/kcore much more easily....
I worked at Intel and - sure - you can talk about employment policies during the appropriate venue. However, there is a stronger policy called "disagree and commit". Means just what it says: you may disagree, but at the end of the day you will adhere to policy or leave.
OK, just who is being discriminated against due to gender or race? Everything that I've seen shows that he was fired for being an asshole. I sure hope THAT never becomes a Protected Class, else we're all screwed even more than now.
Thank you. Apparently, the RW SJWs are in a hissy fit. Fuck 'em. I stand by my point and - aside from ACs - am ready to defend it.
Sure, he did bad-mouth the company in his email. I've worked in large companies with diversity training, etc. and they always prompt open discussions, etc. Once it's done, though, you are expect to adhere to policy or leave. Your call. If you feel they've done anything illegal, there are many, many avenues for redress beyond whining on social media. Looks like he's trying that...now.
I tried - despite down-mods - to warn everyone here that over-reacting to this issue would be a big problem, but nnnnnoooooo. We all had to jump on the Panic Train before it got too crowded. To address a vulnerability that A) requires you to be running malware anyway (specific to Meltdown) and B) is excruciatingly difficult to make work (it took over 20 YEARS to find it!!) and C) is lost in the swarm of thousands of known, easy-to-implement malware, people are ready to brick their systems, suffer XX% performance loss and God knows what next just shows that all sense of perspective has been lost to hype and hysteria. Sad!(TM)
From the suit: "employees who expressed views deviating from the majority view at Google on political subjects raised in the workplace and relevant to Google's employment policies and its business, such as 'diversity' hiring policies, 'bias sensitivity,' or 'social justice,' were/are singled out, mistreated, and systematically punished and terminated from Google, in violation of their legal rights." So, Google has internal policies to, say, promote "diversity" and this a-hole doesn't like it, raises a big stink causing huge PR problems for Google just so he can claim his SJW cred and we're supposed to feel sorry for him? No. Any employees of mine who went around bad-mouthing my company would find themselves out of a job pretty god-damned quickly. And, NO - there is no law preventing an employer from firing someone for being an asshole.
Is it technically possible? Sure, there are already open-source core designs available. All you have to do is come up with the hundreds of thousands of engineers, designers, and manufacturing experts, replicate about 40 years of legacy toolchains from basic compilers to OSes, languages and frameworks, add in a smidgen of semi-conductor factories, testing facilities and packaging support. Oh! Did I mention sales and marketing? Go right-da-fuck ahead!
"The issue is that through using the exploits you can have access to things like passwords used in kernel code, certificates, etc." I'm gonna throw the BS Flag here. First, on Linux anyway, things like authentication and certificates are handled by other apps, some of which may access syscalls of course, but to repeat - as SO many do - that passwords are part of kernel code is nonsense. Please do not regurgitate BS! Also, keep fucking malware off of your system and you won't be at risk!!!
"Oh! Is THIS ARM chip vulnerable? Oh, NNNNNOOOO...." Everyone seems to have lost perspective here. 1) In order for you to be "vulnerable", you must be running some kind of malware. If you're running malware, you are already fucked with a sand-paper dildo. 2) Given #1, coupled with the astounding number/variety of destructive forms of malware extant, it is ludicrous to give more than a nano-second's consideration (as a basic user or admin) to this. 3) Does anyone have any idea of how difficult it is to leverage this particular vulnerability to do something useful? Especially given #2 above. Crikey - the Panic Parade(TM) must go on, I guess.
It's not "brushing off", it's perspective. A) You must already have malware for this to be able to run at all. B) Given how effective "standard" malware is (Ransomware) and C) how exponentially more difficult to implement this vector is.... I'm looking for a reason to take a 30%+ perf hit to guard against this most edgiest of edge cases.
Actually, I've been knowledgeable about CPUs since the days when I was doing chip-level repair on DG Nova III CPU boards but...whatever. You still have not explained even a tiny bit how having malware on your system (necessary for this to be of any impact at all) is OK, but if that malware can read kmem...HORROR! Did any of the ransomware or anything else which has killed tens of thousands of systems read kmem? No.
Seriously - anyone who knows enough should know that this bug (being able to read tiny amounts of kmem ONLY during a specific sequence of speculative instructions; bad but hardly an open port) requires: malware to already be running on your system (in which case you are already screwed); that malware to be so perfectly crafted to not only read tiny amounts of kmem data via specific instruction sequences but then expand that tiny amount of info into some (magical?) process for gathering passwords, crypto-keys, etc. (none of which are stored in kmem anyway, but why spoil the panic parade?) and then spreading to other computers on your network. Show me a real POC, then we can panic. FFS!
...I need a drink!!
Thanks, JZ - you made my point better than I could have. It's amazing - still! - to me the tripe that people believe....
That is complete and total bullshit. Where I live the existing copper plant was built out over decades using USF fees. Windstream, then came in and bought the previous carrier and - throughout - there remained only the one ISP who regularly goes down for a day at a time. How could anyone compete against that? Ideally, the legislature would require monopoly ISPs, especially those whose plant was built out using USF funds, to allow competitive ISPs to co-locate in their POPs. Course with all of the "gubment sux" mentality roiling around, getting anything truly constructive done is unlikely to happen.
As a former SE (FAE in Intel-speak) for several companies, I'd also like to say that the underlying organization behind the SE is more important. Sure, a great SE can beat his head against the wall to no avail to the customer, but a great organization that really supports their SEs when they try to be "the voice of the customer" is really rare. Intel did it better than any other org I've worked with, but even they failed sometimes. Those danged customers kept having their OWN needs, dammit!!
I'm laughing my ass off. I've never owned or traded any BTC as I never saw any underlying value - just the premise that scarcity in and of itself would == ${SOME_KIND_OF_VALUE} for some bla-bla reason. Now, gold and diamonds - iffy though their ultimate underlying "value" may be - have the undeniable advantage of being A) tangible at least and B) worthwhile as something else (jewellery, etc.) in the meantime irrespective of their "it's GOTTA go higher from here!!" mentality. PS - I have no gold or diamonds either.
Let's see: company (Tesla) has more need for materials furnished by a partner company(Panasonic), so orders more and partner company supplies the extra materials. Other companies WITHOUT existing supply contracts whine about being unable to buy batteries from partner company. Isn't this at some level how basic capitalism works? It's not like there aren't other battery suppliers and - yes! - demand is skyrocketing. Welcome to the real world.