As someone had mentioned more than likely it was a backdoor for the US Government, but got discovered as a hardware security problem. God Bless

quote:

Originally posted by V-Tail:

quote:

Originally posted by maladat:
It uses idle clock cycles

Years ago, I was on a consulting contract, supporting mainframe computers at a major customer's site.

During a meeting, somebody brought up the fact that certain usage reports showed more CUP time than wall clock time, and asked how that could be.

I was aware of the glitch in the reports -- somebody in the OS development group had made a math error when coding the calculations for the report, and the error had been caught and the fix was integrated in the next release of the OS.

Somehow, my mouth got ahead of my brain, and I started to explain the VTOS (Virtual Time Operating System) that they were running: the instruction fetch hardware looked ahead, realized that there were CPU cycles that were not going to be used in the middle of the night next week, so it used them as needed during current periods of heavy load.

I almost sold that concept.

If only you could have found a way to include the acronym TARDIS in your explanation.

quote:

Originally posted by sgalczyn:
Conspiracy hat = ON

Was this really a flaw....or gubmint back door??

Better yet.....the replacement "FIX" chip contains the real gubmint back door!

I know you were joshing, but this wouldn't be a really useful backdoor.

As I understand it, it's like a janitor in an office not emptying the shredder's wastebasket reliably and there's a risk someone could get a snapshot of what's in the wastebasket. There might be useful bits in there occasionally, and it is a risk, but that's not reliable enough for a real spook.

Meltdown only effects Intel processors (roughly every x86 / x86_64 processor since 1995 I think) and is due to a design "flaw" in the hardware. The flaw allows processes to access information in memory that they shouldn't have access to.

The patches to fix this will introduce a performance penalty - which is more likely only seen with server / heavy loads. Systems with heavy I/O load, high volume of transactions or hosting virtual machines, etc. You're not going to see a performance degradation in your email or office documents.

The Spectre vulnerability affects Intel, AMD, and ARM processors (so basically all modern devices), but the affects may not be to the same level between the 3 families of processors (least according to wikipedia). It sounds like the exploit is mostly theoretical at this point, working mostly just between user level applications - but likely that the risk will be greater once the exploits attacking this vulnerability mature. Spectre main risk sounds to be its impact on cloud providers as it allows the exploits to escape from a VM to the host OS (travel through the hyperviser) -- though I believe that type of exploit (escaping the hypervisor) has been known to be possible for at least 7 years (but maybe I'm wrong - I'm just recalling the "Blue Pill" vulnerability).

quote:

Originally posted by VBVAGUY:
As someone had mentioned more than likely it was a backdoor for the US Government, but got discovered as a hardware security problem. God Bless

That "backdoor" was more likely the Intel Management Engine vulnerability that broke in Nov 2017. Basically a Minix OS within the processor that lets you do out of band updates / maintenance on the PC without the host OS's knowledge - ie even when the PC is 'off', but the power is still plugged in.

quote:

Originally posted by smschulz:

quote:

Originally posted by RogueJSK:
It's not just Intel. It apparently affects Intel, AMD, and ARM processors. It's just the risk is greatest to Intel chips.

From what I've read the threats (Meltdown Spectre is what I believe they are called) have not been observed in real life - only theoretical.
I could be wrong but that is what I've gathered.
Plus a computer must already be vulnerable enough to have malicious "code" installed whatever that might be > THEN it is possible for the attack to succeed.
If all of that is so then this has been quite over-hyped.

^ this is correct. There is a security hole but the use case is quite obscure, and only observed theoretically.

This affects every Intel CPU and also Windows, Linux, VMWare hypervisor, OSX and who knows what.

"Spectre" affects AMD, Intel, ARM cpu's. "Meltdown" is specific to Intel cpu's.

For Windows on Intel CPU's, you need both an OS patch, AND a motherboard BIOS update to be "fixed".

There are also browser patches available.

This affects VMWare/hypervisors in a way that if one virtual machine is compromised, the attacker could then gain access (access to read only as far as I know, not take control of) to all of the virtual machines that are residing on the host (not important to know for you home users - but this is why they say it affects the "cloud").

There are also MS SQL server specific patches.

Also, you need to make sure your Antivirus supports the Microsoft patch before installing. If you don't have a specific registry key in Windows - Microsoft will not present the patches to you.

As someone who works in IT with 30 or more VMWare hosts running 600 virtual machines and a few hundred random physical servers to boot - hold me.

"We may all be killed" (in Jack Nance's voice)