TCCoA Forums banner

1 - 11 of 11 Posts

·
Super Moderator
Joined
·
10,758 Posts
Discussion Starter #1
So, how many of you guys are having to deal with this latest gift from Intel, and our security agencies?

We only seem to find out about this crap when it escapes our control, and shows up in the wild. :rolleyes:

I've looked at the performance hit, and I'm seeing ~20% degradation that takes any serious power at all, so Intel effectively took all my systems that aren't playing mp3 files or video, and made them worth ~1/3 their purchase price.

They sell processors by cost vs performance, so they effectively ripped off every customer by 33%.

Good money, if you can get it, eh? :)


Most of you probably haven't noticed, but the Windows "Update" rollout was this week; so that laggy feeling you have now is all Intel's fault. :facepalm:

This makes the next system I'm working on AMD based; just to encourage them, if nothing else.

I needed a good excuse to upgrade; Thanks, Intel! :wavey:
 

·
Registered
Joined
·
200 Posts
My understanding is that one of the two hit AMD, while both hit Intel.
I also would bet just like VW; someone opened this hole in security to boost those performance numbers in an effort to increase speed recklessly as it sounds like pre 2008 processors did not show this vulnerability.
 

·
Super Moderator
Joined
·
3,594 Posts
Long story short; Meltdown affects only Intel CPUs and is a vulnerability where a user process could access a kernel process's memory pages by way of Intel processor optimizations. Spectre affects ALL processors that utilize speculative execution functions (practically every processor platform made since 1995) and is a vulnerability where a user process could access other user process memory pages that are called up as a result of the speculative execution function. Meltdown is bad but Spectre is worse. Neither vulnerability is a design flaw exactly. The patches to fix them work by effectively turning off speculative execution which is what causes the performance hit.

Here is a good article on it if you're interested: https://www.theregister.co.uk/2018/01/09/meltdown_spectre_slowdown/
 

·
Super Moderator
Joined
·
10,758 Posts
Discussion Starter #5
The strange thing to me is that this is a thing; every bit of code I ever wrote Knew where kernel stuff was, and called almost everything directly.

No security whatsoever, by today's coding standards. :)

I need to install Win98 on one of the computers I'm taking off the web, just to see what 20 years does to code execution. :)

If I can get OS2 running, I could run 12 things at once with no slowdowns, as long as one is the os...

A lot of stuff I wrote had to fit into either 16k, 640k, or 16MB; few compiled programs are that small.

At this point, I just need to grab something (an ipad?) to do web stuff with, and keep everyone else off the web. :(
 

·
Super Moderator
Joined
·
3,594 Posts
The strange thing to me is that this is a thing; every bit of code I ever wrote Knew where kernel stuff was, and called almost everything directly.

No security whatsoever, by today's coding standards. :)
Well, that's the trick. The processor doesn't know the difference between your process or another process requesting memory pages. The way to execute and exploit is to "tickle" the processor into fetching memory pages for a different thread so that it speculates the next bit of memory needed and then the offending process then reads the page to see what data it contains. If it contains encryption keys, passwords, or other sensitive data then it's harvested for use elsewhere. This is not a short term hack but if you penetrate a system with malware (i.e. javascript on a web page which Mozilla proved was possible) then you just sit tight and harvest data since it takes a long time to get useful information.

I need to install Win98 on one of the computers I'm taking off the web, just to see what 20 years does to code execution. :)

If I can get OS2 running, I could run 12 things at once with no slowdowns, as long as one is the os...

A lot of stuff I wrote had to fit into either 16k, 640k, or 16MB; few compiled programs are that small.

At this point, I just need to grab something (an ipad?) to do web stuff with, and keep everyone else off the web. :(
Well, regarding the old OS's, you could definitely do all kinds of interesting things against them since they were written in the days when security wasn't that much of a concern. Regarding an iPAD, just remember that among the list of Spectre exploitable processors is ARM, Intel, AMD, Sparc, Power7 and up, IBM zSeries, PA-RISC, and who knows what else. The only ones that were explicitly named as not vulnerable were certain ARM processors and certain Intel Atom processors that were low end and didn't perform speculative execution. There were statements that Android was a little less susceptible because Google apparently handled memory operations a little different but I'm not sure I would bet on it at this point.
 

·
Super Moderator
Joined
·
10,758 Posts
Discussion Starter #7
Everything uses SpecEx these days; otherwise, there's no way to keep pipelines full. :)

The Intel problem is that the 'Bounds Check' was done at the end, instead of the beginning, like AMD. :)

There are inter-intermediate answers available that make the bounds check irrelevant, so it's a hole. :)

I'm seeing 20% drop in most of my stuff; this sux.


Heh. The one computer I have currently on that is not susceptible is an IBM model 50, running dos 3.3; it's getting a hard drive upgrade, if I can find one. :)

I think it's a 486SX; if so, somewhere I have real processors for it... :grin2:

It has an Ortec MCA card and software on it; it was a good score. $50k worth of software...
 

·
Super Moderator
Joined
·
9,362 Posts
I haven't patched just yet... I just stay away from those websites. :zwall:
 

·
Super Moderator
Joined
·
10,758 Posts
Discussion Starter #9
I only browse on this computer, but it's amazing how many programs need to 'phone home' to actually work these days.

My XP machine's programs are older than that, so it's happy being on a dark net; win7, not so much.

Win95, 98, and XP really don't need to be exposed to the web anyway, these days; I won't be patching those systems.


I love DOS, it's so simple; took me less than 10 minutes to have this IBM model 50 system running fine.

It was so old and had been sitting so long I had to use a variac to repolarize the power supply caps. That's probably in the 20 year mark... :surprise:

It's sitting here taking data on a 30yo sodium-22 source; this $50k software is supposed to be able to determine the type of the sample, so we'll see. :)
 

·
Registered
Joined
·
2,472 Posts
From what I'm hearing the Hacks are difficult and only going to be useful as a targeted attack--I'm not too concerned.

As for the current "fix" its just the industry afraid of being sued so they are just shutting it off, just ask the people with AMD and Windows that are now bricks or at best BSOD.

If you want a secure system I hear Raspberry PIs are safe.


Though Grog you are right programmers have gotten lazy in that they don't have to fit it on 744k, and the text based OS keeps the idiots out.
 

·
Super Moderator
Joined
·
10,758 Posts
Discussion Starter #11
I booted a DOS computer today; it runs my code from the 80's, lol.

I wrote a version of Conway's Life program that fit in 16k on an x86; the more memory you had, the bigger the field could be.

It would run R-Pentomino to completion, (except for the gliders) but not much more.

"Golly" is a wonderful program for such things; if anyone is interested, we should start a thread. :)

The BEST part is that I can run the AD&D character creation program I wrote in the 80's; I need to mod it, but it's 3MB of C, Basic, and assembler, all compiled for a 386. :)

Basic for the menus, C for the linked list data structure, and assembler for the shitloads of data that was in DATA statements, lol.

All compiled in object files, and linked to an exe. :)
 
1 - 11 of 11 Posts
Top