Message boards :
Number crunching :
Intel security flaw
Message board moderation
Previous · 1 · 2 · 3 · 4 · 5 · 6 · Next
Author | Message |
---|---|
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30651 Credit: 53,134,872 RAC: 32 |
For example, how easy is it for a hacker to become "an unprivileged, logged-in user". Can any counter-moves be made on this level ? Depending on the services of the machine it may be the normal method of operation. Assuming you don't have a guest account and aren't running a web server then they would have to hack into your computer from some other way to get logged in. From there though another layer of hacking to exploit the flaw and a bit of luck and your passwords fly off to the criminals. |
Darth Beaver Send message Joined: 20 Aug 99 Posts: 6728 Credit: 21,443,075 RAC: 3 |
Assuming you don't have a guest account Good advice as when the hacker was trying to hack the twitter account last week I think it may have also been the fact I had a admin account without a password witch I have now deleted I don't remember a phone call happening just before that attempt and why I think it may have been the admin account I had without the password |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
Regardless of manufacturer that's bad for computing as a whole. With the world's reliance on computers, it's bad enough having to contend with software flaws but hardware flaws... There are always hardware flaws. I obviously don't need to remind anyone here of the FDIV bug in the original Pentium (which was a relatively minor bug compared to the F00F bug that could cause your computer to freeze up). This is why CPUs have steppings, to fix flaws in the original design. But this particular flaw was originally a feature (i.e. no one really thought to exploit the feature introduced in the original Pentium Pro in 1995). What's worse is that because this is a hardware flaw, it has the potential to bypass virtual machines and hypervisors in the cloud so that, in theory, a hacker could access any running software or virtual machine running on a physical server. Cloud servers can have anywhere from 2 to several dozen virtual machines running at any given time (depending on need and specs). Yes, this is a very serious flaw but nothing to panic over. |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
For example, how easy is it for a hacker to become "an unprivileged, logged-in user". Can any counter-moves be made on this level ? Using Meltdown or Spectre? The hacker wouldn't be able to use either method to become an unprivileged, logged-in user. The hack would have to run in the existing user context, such as through a browser exploit or a malicious executable, and they could then use these vulnerabilities to read contents of CPU and RAM at any time, or use the knowledge to create buffer overflow attacks so they could execute their own code. So on their own, Meltdown and Spectre do not allow a hacker to become an unprivileged user. They don't really need to be an unprivileged user to wreak havoc. That said, these speculative execution flaws don't automatically allow a hacker to bypass other security systems in place, such as web browser sandboxing used in many modern browsers, or User Account Control in Windows. As always, practicing safe computing (don't click on every link you see and don't open attachments from people you don't know) and be careful. |
Grant (SSSF) Send message Joined: 19 Aug 99 Posts: 13736 Credit: 208,696,464 RAC: 304 |
Other than OzzFan there's a lot of noise with little to no signal here at the moment. Instead of going in to Panic Mode, take a page out of t he Hitch Hiker's Guide to the Galaxy & Don't Panic. Why not read an article that explains what is & isn't actually known at this stage? Grant Darwin NT |
tullio Send message Joined: 9 Apr 04 Posts: 8797 Credit: 2,930,782 RAC: 1 |
I am using only AMD Cpus both on Windows 10 and SuSE Linux. Should I apply the patches too? Microsoft sends me an upgrade every month, and I have no way to refuse it. I can refuse to install Linux updates, but so forth they have done no damages. I am running 4 BOINC projects using also nVidia graphic boards and/or VirtualBox. Neither do I on my Windows 10 Home edition on a HP PC with AMD A10-6700 CPU. Tullio |
Grant (SSSF) Send message Joined: 19 Aug 99 Posts: 13736 Credit: 208,696,464 RAC: 304 |
OK, here are some early benchmarks comparing before patch & after patch performance on an i7-8700k WIn10 system, Summary- Significant slow down for 4k disk reads (some write performances have actually improved). As for gaming, general productivity, general computing tasks- no measurable effect. Testing Windows 10 Performance Before and After the Meltdown Flaw Emergency Patch . Grant Darwin NT |
Richard Haselgrove Send message Joined: 4 Jul 99 Posts: 14650 Credit: 200,643,578 RAC: 874 |
Just been offered, and installed, what claims to be the January 2018 Security Monthly Quality Rollup for Windows 7 - which we weren't expecting until next Tuesday or (usually in the UK) Wednesday. No specific mention of either Meltdown or Spectre. Identity is KB4056894. Windows Update offered it solo, without the usual Malicious Software Removal Tool, so we don't really know exactly what's going on - but it's perhaps a sign of progress. |
Keith Myers Send message Joined: 29 Apr 01 Posts: 13164 Credit: 1,160,866,277 RAC: 1,873 |
I got the same security rollup last night on one of my Windows 7 crunchers. Just checked and the other Windows 7 cruncher is downloading as I type. No idea of what was in the security patch. The KB information at MS didn't say what was in it. No sign of any update on the Windows 10 Home machine. Seti@Home classic workunits:20,676 CPU time:74,226 hours A proud member of the OFA (Old Farts Association) |
JakeTheDog Send message Joined: 3 Nov 13 Posts: 153 Credit: 2,585,912 RAC: 0 |
This is my understanding of what should be done for these vulnerabilities. 1) Updates your operating system. Windows 10 patch is out. Windows 8 and 7 come out Tuesday the 9th. Dont know about older Windows, like Vista. Some virus scanners might block installation of the Windows updates. Check your virus scanner's website for info, or do additional research if you are unable to get the updates. OS will probably come out with more patches in the future. 2) Update your browsers. You type a specific command in Chrome's address bar, search for a "Strict Site Isolation" feature and enable it. Chrome will have more patches released at the end of this month. Firefox has an update out. The description says it "mitigates" the vulnerability, so I don't know how good this patch is. Safari will have one soon? Microsoft Edge and Internet Explorer are supposed to have them already, but I don't see it for my Windows 7. Possibly they are for Windows 10, I will have to check again on Tuesday. I'm sure all the developers will be working on new patches as time goes on. 3) Reduce your visits to suspicious websites and sites that have a lot of ads, until more security has been checked out. 4) There are motherboard patches for Intel Management Engine. Im not sure how this works. Each motherboard manufacturer should have info. However, they seem to include only those made in the past few years. I do not know what to do about my older rigs. WARNING: I think these are firmware update. Firmware updates for motherboards have high risk, if the update process is interrupted. 5) Cell phones. I believe Apple phones already have OS patches. Android patches have been given to Google phones, and manufacturers. It's up to the manufacturers to send their own updates. The Android security patch should say Janaury 2018. 6) Android browsers. I only checked Chrome Mobile. The current thing to do is also enable "Strict Site Isolation." Might have more patches in future updates. |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30651 Credit: 53,134,872 RAC: 32 |
I got the same security rollup last night on one of my Windows 7 crunchers. Just checked and the other Windows 7 cruncher is downloading as I type. No idea of what was in the security patch. The KB information at MS didn't say what was in it. No sign of any update on the Windows 10 Home machine.KB did indicate the Windows Kernel was updated. |
wandrr Send message Joined: 24 Dec 00 Posts: 19 Credit: 40,182,080 RAC: 48 |
This is my understanding of what should be done for these vulnerabilities. Very good summary. Thanks! Arnie Alberta, Canada |
Jord Send message Joined: 9 Jun 99 Posts: 15184 Credit: 4,362,181 RAC: 3 |
From https://newsroom.intel.com/news-releases/industry-testing-shows-recently-released-security-updates-not-impacting-performance-real-world-deployments/ As Intel and others across the industry partner to protect customers from the exploits (referred to as “Spectre†and “Meltdownâ€) reported Wednesday, extensive testing has been conducted to assess any impact to system performance from the recently released security updates. Apple, Amazon, Google and Microsoft are among those reporting that they are seeing little to no performance impact. |
Mike Send message Joined: 17 Feb 01 Posts: 34258 Credit: 79,922,639 RAC: 80 |
From https://newsroom.intel.com/news-releases/industry-testing-shows-recently-released-security-updates-not-impacting-performance-real-world-deployments/ It depends...................... Some with german abilities should read this http://www.planet3dnow.de/cms/35759-massive-sicherheitsluecke-in-intel-cpus-update-amd-arm-bugfixes-2/ With each crime and every kindness we birth our future. |
Grant (SSSF) Send message Joined: 19 Aug 99 Posts: 13736 Credit: 208,696,464 RAC: 304 |
Another look at the impact of the security patch. Summary- the biggest impact on performance is on benchmarks, most likely due to the fact they are frequently monitoring I/O (Input/Output) and making system calls to do so. So they are most impacted by the patch. In actual real life situations, the penalty (when there is one) is around 3.21%, which is within the margin of error for many tests, and as a actual performance penalty isn't enough to actually be noticeable by a user (generally 10% or more is necessary before people start to notice if things are better or worse). Where the patch is most likely to have a noticeable impact on actual performance is in the enterprise area (eg here with the Seti servers). However so far the very few comparative benchmarks I've seen have been with high end SSDs, where any impact will be most noticeable. On mechanical HDDs any impact is likely to be much less due to their already low levels of performance, and so they make many, many less system calls than a SSD does when under heavy loads and the impact of the patch will be much less. It's appearing (with the very limited testing to date) that the impact is pretty much only apparent on systems under extremely heavy loads (eg synthetic benchmarks, overloaded storage servers). For the average user, where I/O is minimal most of the time, the effects would appear to be non- existent. Microsoft's 'Meltdown' Patch Has Little Impact On Storage Application Performance. Grant Darwin NT |
Jord Send message Joined: 9 Jun 99 Posts: 15184 Credit: 4,362,181 RAC: 3 |
Solved. All get a Raspberry Pi: https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/ |
Richard Haselgrove Send message Joined: 4 Jul 99 Posts: 14650 Credit: 200,643,578 RAC: 874 |
In the last couple of weeks, I've had to opportunity to hear two different BOINC project server administrators - Kevin Reed of World Community Grid, and our own Eric K - describe their real-world experience of the Meltdown / Sceptre security patches, as applied to high-performance, high-throughput, Linux servers. Both of them say that they've seen real-world slowdowns of 20% - 30% on that class of machine running BOINC server software - which by definition spend their time moving data from disk to network and vice-versa. I've just sent this email round to a small discussion group. As I understand it from Eric, the problem is keeping the 'kernel' and 'user' memory areas segregated. Previously, this was done via software flags: now it's done by physically unloading one set of memory page tables, and re-loading the other set. And that's done at every context switch between kernel and user mode. And those switches occur every time disk or network IO is needed. And what do BOINC servers spend their time doing? |
rob smith Send message Joined: 7 Mar 03 Posts: 22200 Credit: 416,307,556 RAC: 380 |
...Ouch - that's some hit in performance and would certainly explain the change in behaviour that we've seen from the splitters in the last few days. It makes me think is there a better way of managing the splitting and distribution process to reduce the number of i/o actions required per task transaction? But nothing pops to mind right now, and such a change would probably need some serious re-engineering of the underlying databases..... Bob Smith Member of Seti PIPPS (Pluto is a Planet Protest Society) Somewhere in the (un)known Universe? |
kittyman Send message Joined: 9 Jul 00 Posts: 51468 Credit: 1,018,363,574 RAC: 1,004 |
I am waiting for the class action lawsuits to start. People claiming that they no longer are getting the performance levels they paid for. I am sure there are lawyers just chomping at the bit. Meow. "Freedom is just Chaos, with better lighting." Alan Dean Foster |
Richard Haselgrove Send message Joined: 4 Jul 99 Posts: 14650 Credit: 200,643,578 RAC: 874 |
And to add to the woes: Intel fix causes reboots and slowdowns The company said it had reproduced the problem and was "making progress toward identifying the root cause".Reading further down, Intel now acknowledges: The most significant reduction in performance involved computer servers that store and retrieve large volumes of data. For those, the slowdown could be as severe as 25%.That's more honest - theory and reality begin to match at least. |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.