Intel security flaw

Message boards : Number crunching : Intel security flaw
Message board moderation

To post messages, you must log in.

Previous · 1 · 2 · 3 · 4 · 5 · 6 · Next

AuthorMessage
Profile Gary Charpentier Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 25 Dec 00
Posts: 30608
Credit: 53,134,872
RAC: 32
United States
Message 1910701 - Posted: 5 Jan 2018, 0:07:35 UTC - in response to Message 1910562.  

For example, how easy is it for a hacker to become "an unprivileged, logged-in user". Can any counter-moves be made on this level ?


I would like to know this as well.

Depending on the services of the machine it may be the normal method of operation. Assuming you don't have a guest account and aren't running a web server then they would have to hack into your computer from some other way to get logged in. From there though another layer of hacking to exploit the flaw and a bit of luck and your passwords fly off to the criminals.
ID: 1910701 · Report as offensive
Darth Beaver Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Avatar

Send message
Joined: 20 Aug 99
Posts: 6728
Credit: 21,443,075
RAC: 3
Australia
Message 1910703 - Posted: 5 Jan 2018, 0:15:09 UTC - in response to Message 1910701.  

Assuming you don't have a guest account


Good advice as when the hacker was trying to hack the twitter account last week I think it may have also been the fact I had a admin account without a password witch I have now deleted I don't remember a phone call happening just before that attempt and why I think it may have been the admin account I had without the password
ID: 1910703 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15691
Credit: 84,761,841
RAC: 28
United States
Message 1910725 - Posted: 5 Jan 2018, 1:41:24 UTC - in response to Message 1910357.  
Last modified: 5 Jan 2018, 2:03:36 UTC

Regardless of manufacturer that's bad for computing as a whole. With the world's reliance on computers, it's bad enough having to contend with software flaws but hardware flaws...


There are always hardware flaws. I obviously don't need to remind anyone here of the FDIV bug in the original Pentium (which was a relatively minor bug compared to the F00F bug that could cause your computer to freeze up). This is why CPUs have steppings, to fix flaws in the original design.

But this particular flaw was originally a feature (i.e. no one really thought to exploit the feature introduced in the original Pentium Pro in 1995). What's worse is that because this is a hardware flaw, it has the potential to bypass virtual machines and hypervisors in the cloud so that, in theory, a hacker could access any running software or virtual machine running on a physical server. Cloud servers can have anywhere from 2 to several dozen virtual machines running at any given time (depending on need and specs).

Yes, this is a very serious flaw but nothing to panic over.
ID: 1910725 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15691
Credit: 84,761,841
RAC: 28
United States
Message 1910728 - Posted: 5 Jan 2018, 1:51:33 UTC - in response to Message 1910540.  

For example, how easy is it for a hacker to become "an unprivileged, logged-in user". Can any counter-moves be made on this level ?


Using Meltdown or Spectre? The hacker wouldn't be able to use either method to become an unprivileged, logged-in user. The hack would have to run in the existing user context, such as through a browser exploit or a malicious executable, and they could then use these vulnerabilities to read contents of CPU and RAM at any time, or use the knowledge to create buffer overflow attacks so they could execute their own code.

So on their own, Meltdown and Spectre do not allow a hacker to become an unprivileged user. They don't really need to be an unprivileged user to wreak havoc. That said, these speculative execution flaws don't automatically allow a hacker to bypass other security systems in place, such as web browser sandboxing used in many modern browsers, or User Account Control in Windows.

As always, practicing safe computing (don't click on every link you see and don't open attachments from people you don't know) and be careful.
ID: 1910728 · Report as offensive
Grant (SSSF)
Volunteer tester

Send message
Joined: 19 Aug 99
Posts: 13720
Credit: 208,696,464
RAC: 304
Australia
Message 1910754 - Posted: 5 Jan 2018, 4:08:36 UTC

Other than OzzFan there's a lot of noise with little to no signal here at the moment.

Instead of going in to Panic Mode, take a page out of t he Hitch Hiker's Guide to the Galaxy & Don't Panic.
Why not read an article that explains what is & isn't actually known at this stage?
Grant
Darwin NT
ID: 1910754 · Report as offensive
Profile tullio
Volunteer tester

Send message
Joined: 9 Apr 04
Posts: 8797
Credit: 2,930,782
RAC: 1
Italy
Message 1910780 - Posted: 5 Jan 2018, 9:33:00 UTC - in response to Message 1910655.  
Last modified: 5 Jan 2018, 10:00:02 UTC

I am using only AMD Cpus both on Windows 10 and SuSE Linux. Should I apply the patches too? Microsoft sends me an upgrade every month, and I have no way to refuse it. I can refuse to install Linux updates, but so forth they have done no damages. I am running 4 BOINC projects using also nVidia graphic boards and/or VirtualBox.
Tullio


No, don`t do those updates.

Not sure the Windows Home edition can refuse, if so I don't know how.

Neither do I on my Windows 10 Home edition on a HP PC with AMD A10-6700 CPU.
Tullio
ID: 1910780 · Report as offensive
Grant (SSSF)
Volunteer tester

Send message
Joined: 19 Aug 99
Posts: 13720
Credit: 208,696,464
RAC: 304
Australia
Message 1910784 - Posted: 5 Jan 2018, 9:45:46 UTC

OK, here are some early benchmarks comparing before patch & after patch performance on an i7-8700k WIn10 system,
Summary- Significant slow down for 4k disk reads (some write performances have actually improved). As for gaming, general productivity, general computing tasks- no measurable effect.
Testing Windows 10 Performance Before and After the Meltdown Flaw Emergency Patch .
Grant
Darwin NT
ID: 1910784 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14649
Credit: 200,643,578
RAC: 874
United Kingdom
Message 1910804 - Posted: 5 Jan 2018, 14:13:06 UTC

Just been offered, and installed, what claims to be the January 2018 Security Monthly Quality Rollup for Windows 7 - which we weren't expecting until next Tuesday or (usually in the UK) Wednesday. No specific mention of either Meltdown or Spectre. Identity is KB4056894.

Windows Update offered it solo, without the usual Malicious Software Removal Tool, so we don't really know exactly what's going on - but it's perhaps a sign of progress.
ID: 1910804 · Report as offensive
Profile Keith Myers Special Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 29 Apr 01
Posts: 13161
Credit: 1,160,866,277
RAC: 1,873
United States
Message 1910859 - Posted: 5 Jan 2018, 18:30:44 UTC

I got the same security rollup last night on one of my Windows 7 crunchers. Just checked and the other Windows 7 cruncher is downloading as I type. No idea of what was in the security patch. The KB information at MS didn't say what was in it. No sign of any update on the Windows 10 Home machine.
Seti@Home classic workunits:20,676 CPU time:74,226 hours

A proud member of the OFA (Old Farts Association)
ID: 1910859 · Report as offensive
Profile JakeTheDog
Avatar

Send message
Joined: 3 Nov 13
Posts: 153
Credit: 2,585,912
RAC: 0
United States
Message 1911060 - Posted: 6 Jan 2018, 3:44:46 UTC
Last modified: 6 Jan 2018, 3:49:20 UTC

This is my understanding of what should be done for these vulnerabilities.
1) Updates your operating system. Windows 10 patch is out. Windows 8 and 7 come out Tuesday the 9th. Dont know about older Windows, like Vista. Some virus scanners might block installation of the Windows updates. Check your virus scanner's website for info, or do additional research if you are unable to get the updates. OS will probably come out with more patches in the future.
2) Update your browsers. You type a specific command in Chrome's address bar, search for a "Strict Site Isolation" feature and enable it. Chrome will have more patches released at the end of this month. Firefox has an update out. The description says it "mitigates" the vulnerability, so I don't know how good this patch is. Safari will have one soon? Microsoft Edge and Internet Explorer are supposed to have them already, but I don't see it for my Windows 7. Possibly they are for Windows 10, I will have to check again on Tuesday. I'm sure all the developers will be working on new patches as time goes on.
3) Reduce your visits to suspicious websites and sites that have a lot of ads, until more security has been checked out.
4) There are motherboard patches for Intel Management Engine. Im not sure how this works. Each motherboard manufacturer should have info. However, they seem to include only those made in the past few years. I do not know what to do about my older rigs. WARNING: I think these are firmware update. Firmware updates for motherboards have high risk, if the update process is interrupted.

5) Cell phones. I believe Apple phones already have OS patches. Android patches have been given to Google phones, and manufacturers. It's up to the manufacturers to send their own updates. The Android security patch should say Janaury 2018.
6) Android browsers. I only checked Chrome Mobile. The current thing to do is also enable "Strict Site Isolation." Might have more patches in future updates.
ID: 1911060 · Report as offensive
Profile Gary Charpentier Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 25 Dec 00
Posts: 30608
Credit: 53,134,872
RAC: 32
United States
Message 1911072 - Posted: 6 Jan 2018, 5:07:31 UTC - in response to Message 1910859.  

I got the same security rollup last night on one of my Windows 7 crunchers. Just checked and the other Windows 7 cruncher is downloading as I type. No idea of what was in the security patch. The KB information at MS didn't say what was in it. No sign of any update on the Windows 10 Home machine.
KB did indicate the Windows Kernel was updated.
ID: 1911072 · Report as offensive
wandrr

Send message
Joined: 24 Dec 00
Posts: 19
Credit: 40,182,080
RAC: 48
Canada
Message 1911138 - Posted: 6 Jan 2018, 16:34:02 UTC - in response to Message 1911060.  

This is my understanding of what should be done for these vulnerabilities.
1) Updates your operating system. Windows 10 patch is out. Windows 8 and 7 come out Tuesday the 9th. Dont know about older Windows, like Vista. Some virus scanners might block installation of the Windows updates. Check your virus scanner's website for info, or do additional research if you are unable to get the updates. OS will probably come out with more patches in the future.
2) Update your browsers. You type a specific command in Chrome's address bar, search for a "Strict Site Isolation" feature and enable it. Chrome will have more patches released at the end of this month. Firefox has an update out. The description says it "mitigates" the vulnerability, so I don't know how good this patch is. Safari will have one soon? Microsoft Edge and Internet Explorer are supposed to have them already, but I don't see it for my Windows 7. Possibly they are for Windows 10, I will have to check again on Tuesday. I'm sure all the developers will be working on new patches as time goes on.
3) Reduce your visits to suspicious websites and sites that have a lot of ads, until more security has been checked out.
4) There are motherboard patches for Intel Management Engine. Im not sure how this works. Each motherboard manufacturer should have info. However, they seem to include only those made in the past few years. I do not know what to do about my older rigs. WARNING: I think these are firmware update. Firmware updates for motherboards have high risk, if the update process is interrupted.

5) Cell phones. I believe Apple phones already have OS patches. Android patches have been given to Google phones, and manufacturers. It's up to the manufacturers to send their own updates. The Android security patch should say Janaury 2018.
6) Android browsers. I only checked Chrome Mobile. The current thing to do is also enable "Strict Site Isolation." Might have more patches in future updates.


Very good summary. Thanks!
Arnie
Alberta, Canada
ID: 1911138 · Report as offensive
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 1911162 - Posted: 6 Jan 2018, 17:41:39 UTC

From https://newsroom.intel.com/news-releases/industry-testing-shows-recently-released-security-updates-not-impacting-performance-real-world-deployments/

As Intel and others across the industry partner to protect customers from the exploits (referred to as “Spectre” and “Meltdown”) reported Wednesday, extensive testing has been conducted to assess any impact to system performance from the recently released security updates. Apple, Amazon, Google and Microsoft are among those reporting that they are seeing little to no performance impact.
ID: 1911162 · Report as offensive
Profile Mike Special Project $75 donor
Volunteer tester
Avatar

Send message
Joined: 17 Feb 01
Posts: 34253
Credit: 79,922,639
RAC: 80
Germany
Message 1911166 - Posted: 6 Jan 2018, 17:50:11 UTC - in response to Message 1911162.  

From https://newsroom.intel.com/news-releases/industry-testing-shows-recently-released-security-updates-not-impacting-performance-real-world-deployments/

As Intel and others across the industry partner to protect customers from the exploits (referred to as “Spectre” and “Meltdown”) reported Wednesday, extensive testing has been conducted to assess any impact to system performance from the recently released security updates. Apple, Amazon, Google and Microsoft are among those reporting that they are seeing little to no performance impact.


It depends......................
Some with german abilities should read this http://www.planet3dnow.de/cms/35759-massive-sicherheitsluecke-in-intel-cpus-update-amd-arm-bugfixes-2/


With each crime and every kindness we birth our future.
ID: 1911166 · Report as offensive
Grant (SSSF)
Volunteer tester

Send message
Joined: 19 Aug 99
Posts: 13720
Credit: 208,696,464
RAC: 304
Australia
Message 1911249 - Posted: 6 Jan 2018, 20:42:59 UTC
Last modified: 6 Jan 2018, 20:50:35 UTC

Another look at the impact of the security patch.

Summary- the biggest impact on performance is on benchmarks, most likely due to the fact they are frequently monitoring I/O (Input/Output) and making system calls to do so. So they are most impacted by the patch. In actual real life situations, the penalty (when there is one) is around 3.21%, which is within the margin of error for many tests, and as a actual performance penalty isn't enough to actually be noticeable by a user (generally 10% or more is necessary before people start to notice if things are better or worse).
Where the patch is most likely to have a noticeable impact on actual performance is in the enterprise area (eg here with the Seti servers). However so far the very few comparative benchmarks I've seen have been with high end SSDs, where any impact will be most noticeable. On mechanical HDDs any impact is likely to be much less due to their already low levels of performance, and so they make many, many less system calls than a SSD does when under heavy loads and the impact of the patch will be much less.
It's appearing (with the very limited testing to date) that the impact is pretty much only apparent on systems under extremely heavy loads (eg synthetic benchmarks, overloaded storage servers). For the average user, where I/O is minimal most of the time, the effects would appear to be non- existent.

Microsoft's 'Meltdown' Patch Has Little Impact On Storage Application Performance.
Grant
Darwin NT
ID: 1911249 · Report as offensive
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 1911450 - Posted: 7 Jan 2018, 9:57:46 UTC

ID: 1911450 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14649
Credit: 200,643,578
RAC: 874
United Kingdom
Message 1913706 - Posted: 18 Jan 2018, 12:34:45 UTC

In the last couple of weeks, I've had to opportunity to hear two different BOINC project server administrators - Kevin Reed of World Community Grid, and our own Eric K - describe their real-world experience of the Meltdown / Sceptre security patches, as applied to high-performance, high-throughput, Linux servers. Both of them say that they've seen real-world slowdowns of 20% - 30% on that class of machine running BOINC server software - which by definition spend their time moving data from disk to network and vice-versa. I've just sent this email round to a small discussion group.

As I understand it from Eric, the problem is keeping the 'kernel' and 'user' memory areas segregated. Previously, this was done via software flags: now it's done by physically unloading one set of memory page tables, and re-loading the other set. And that's done at every context switch between kernel and user mode. And those switches occur every time disk or network IO is needed. And what do BOINC servers spend their time doing?

Eric has one server with 512 GB of RAM: that's the one which handles workunit generation for the new(-ish) Green Bank / Breakthrough Listen data. The format of that data requires that 64x more data than previously has to be loaded from 'tape' images on disk, before even the first WU can be split. Eric is thinking and planning how to mitigate the delays by re-allocating servers and implementing smart caching where possible: but that's all dependent on time and manpower, both of which are in short supply.

Separately, I note that "[Einstein] are going to shut down the project next Tuesday, Jan 23rd at around 10 AM CET for an upgrade of our database backend systems to make them ready for the years to come. We're going to upgrade hardware parts, operating systems as well the databases themselves, which is why we need to shut down the entire project, including the BOINC backend and this very website". They don't say whether this has been planned with Meltdown / Spectre remediation in mind (possibly it's coincidental - seems a bit quick for causation), but they'll certainly need to address it somehow.

All of which makes me wonder (not for the first time) whether BOINC should encourage and enable some sort of 'server admin support group' (perhaps alongside the server stable branch proposal), for occasions like this when a common problem hits all of you at once?
ID: 1913706 · Report as offensive
rob smith Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer moderator
Volunteer tester

Send message
Joined: 7 Mar 03
Posts: 22158
Credit: 416,307,556
RAC: 380
United Kingdom
Message 1913719 - Posted: 18 Jan 2018, 13:29:10 UTC

...Ouch - that's some hit in performance and would certainly explain the change in behaviour that we've seen from the splitters in the last few days.
It makes me think is there a better way of managing the splitting and distribution process to reduce the number of i/o actions required per task transaction? But nothing pops to mind right now, and such a change would probably need some serious re-engineering of the underlying databases.....
Bob Smith
Member of Seti PIPPS (Pluto is a Planet Protest Society)
Somewhere in the (un)known Universe?
ID: 1913719 · Report as offensive
kittyman Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Jul 00
Posts: 51468
Credit: 1,018,363,574
RAC: 1,004
United States
Message 1913720 - Posted: 18 Jan 2018, 13:33:41 UTC

I am waiting for the class action lawsuits to start. People claiming that they no longer are getting the performance levels they paid for. I am sure there are lawyers just chomping at the bit.

Meow.
"Freedom is just Chaos, with better lighting." Alan Dean Foster

ID: 1913720 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14649
Credit: 200,643,578
RAC: 874
United Kingdom
Message 1913722 - Posted: 18 Jan 2018, 13:55:50 UTC
Last modified: 18 Jan 2018, 13:59:49 UTC

And to add to the woes:

Intel fix causes reboots and slowdowns

The company said it had reproduced the problem and was "making progress toward identifying the root cause".
Reading further down, Intel now acknowledges:

The most significant reduction in performance involved computer servers that store and retrieve large volumes of data. For those, the slowdown could be as severe as 25%.
That's more honest - theory and reality begin to match at least.
ID: 1913722 · Report as offensive
Previous · 1 · 2 · 3 · 4 · 5 · 6 · Next

Message boards : Number crunching : Intel security flaw


 
©2024 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.