Meltdown, Spectre: How they failed, what do we know?

[wutsinterweb]

I just read another article about Meltdown and Spectre, how Intel kept things quiet in concert with Microsoft and other companies and how we are still probably being kept in the dark to an extent. I read how google and other private hack analysts found the issues and revealed them when the manufacturers were still keeping mum about the issues and that MS and others kept pushing for Linux Kernel changes that made devs suspicious that something was up.

I don't know what to take seriously. I don't know how vulnerable my systems are compared with Windows systems now. I don't understand how these companies can get away with keeping us, especially Linux people, in the dark. I can't understand how MS's Secure boot and manufacturers can also get away with making things so much harder for us to move TO Linux.

I'm angry. I wish I could sue. I'm angry about how quiet Intel, AMD, and the Cell processor makers kept things quiet for so darned long and how not enough effort seems to be visible for them addressing the issues. I've recieved no warnings from AMD or Intel or others, no emails or letters about what to do or what they are doing about it.

I'm frustrated that, even with all the articles about it, information about what microcode/Kernel/BIOS updates I will need for my products will be isn't right out there in an adequately visible and publicized manner.

I moved to Intel a few years ago, I have Haswell and pre Haswell products and I don't know how vulnerable I am. I don't know if firejail and script protections will help at all, I don't know anything, and I'm frustrated about that. If *I* know so little, how much less do the consumer class that are passive about computing know?

This is not cool. I'm genuinely worried about these issues much more than any other I've ever come across.

I see this:

https://www.ghacks.net/2018/01/11/check ... erability/

I will do it, but why isn't this getting more attention?

[wutsinterweb]

http://www.zdnet.com/article/how-linux- ... d-spectre/

And I test vulnerable still.

[wutsinterweb]

Also, what about my BIOS/UEFI, will there ever be updates for my systems, which are over 3 years old technlogoy wise.

[Citizen229]

With data being big money these days......
I am wondering if this fits into the realm of prosecutable conspiracy, for all parties who kept quiet. Since I do not fully understand it, you can be assured there is almost no one in the government that does either.... unless they abused it themselves.

[jimallyn]

I don't know how vulnerable my systems are compared with Windows systems now.

I would imagine that your Linux systems are still less vulnerable compared to Windows, as always.

I wish I could sue.

I don't know of any reason why you can't. Class action suits are being filed now.

https://arstechnica.com/gadgets/2018/01 ... d-spectre/

[BigEasy]

Also, what about my BIOS/UEFI, will there ever be updates for my systems, which are over 3 years old technlogoy wise.

Let's say it will tomorrow. Are you ready to update BIOS/UEFI with the some Linux software?

[ArtGirl]

I don't understand how these companies can get away with keeping us, especially Linux people, in the dark. I can't understand how MS's Secure boot and manufacturers can also get away with making things so much harder for us to move TO Linux.

I'm angry. I wish I could sue. I'm angry about how quiet Intel, AMD, and the Cell processor makers kept things quiet for so darned long and how not enough effort seems to be visible for them addressing the issues. I've recieved no warnings from AMD or Intel or others, no emails or letters about what to do or what they are doing about it.

I'm frustrated that, even with all the articles about it, information about what microcode/Kernel/BIOS updates I will need for my products will be isn't right out there in an adequately visible and publicized manner.

This is not cool. I'm genuinely worried about these issues much more than any other I've ever come across.

Completely understandable. The upside of all this is watching Intel's share drop, and so many now switched on about looking elsewhere (AMD) and what to demand for new hardware. Hopefully everyone's as angry and take the actions that teach these companies they've 100% stepped over the mark ... people buying elsewhere over the next year or two would have a significant effect on Intel and co. They treat customers like dirt and as cashpoints, so I see nothing wrong with taking action against them.

In the short term, all that can be done regarding a place where everything is covered clearly in one post is a post I've seen here [can't find it but I think it was by pjotr, giving instructions for the various things, in one post], and checking Clem's post on the blog maybe, for new patch releases? https://blog.linuxmint.com/?p=3496. The most recent post is dated January 9th, and I imagine there could be a new post when the patches expected this week come through. There's also this central Ubuntu page that gives clear information: https://insights.ubuntu.com/2018/01/12/ ... us-update/

[wutsinterweb]

Also, what about my BIOS/UEFI, will there ever be updates for my systems, which are over 3 years old technlogoy wise.

Let's say it will tomorrow. Are you ready to update BIOS/UEFI with the some Linux software?

I don't think I'd have to, my motherboard will update BIOS direct off USB without using an os, I don't remember the details, but I remember that that was a selling point.

[wutsinterweb]

I'd like to see a class action law suit that includes Microsoft, both for their involvement in this but mostly I'd like to go after them because, in my perception, they've colluded to make it difficult to install Linux on most modern systems. Every laptop I've tried to install on has presented problems figuring out how to get past Secure Boot, Faststart/boot, UEFI settings, Bootloader issues, and other hassles. It's just wrong how Intel and MS behave, and not just them, but google, ATT, Verizon, Comcast, the other cablecos and telcos, non of them behave like they have any regard for consumers any longer. They are all corrupt.

I'd be overjoyed if I could get Linux laptops for comparable prices, in the entire price range. I'm sorry, but things just seem very unjust.

[Spearmint2]

If the Eurozone wasn't in such turmoil right now, I think they'd have already gone after Microsoft again for their non-competitive practices. The US govt will NEVER do that with Microsoft and Intel, because they are huge US companies. Class action suits are the only thing in the US they end up facing.

[wutsinterweb]

I don't care how hard Bill and Melinda Gates pose as humanitarians, they are power playing egotists who have sought to impose upon the world and take away freedoms. It's so easy to act like a benefactor to the world once one is a billionaire, but a Lion never loses his furry crown, and a leopard never loses its spots, nor a tiger his stripes. A cat, no matter how fluffy or furry, is still a cat, and cats are, well, I will stop there.

I am so angry right now.

[ArtGirl]

I don't care how hard Bill and Melinda Gates pose as humanitarians, they are power playing egotists who have sought to impose upon the world and take away freedoms. It's so easy to act like a benefactor to the world once one is a billionaire, but a Lion never loses his furry crown, and a leopard never loses its spots, nor a tiger his stripes. A cat, no matter how fluffy or furry, is still a cat, and cats are, well, I will stop there.

I am so angry right now.

Well said.

[wutsinterweb]

I haven't read anything about AMD behaving the same way as Intel on these CVEs. I imagine that AMD is complicite in keeping this quiet also, but are they AS guilty of our mistrust as Intel?

I am thinking right now that I might move when I build my next system to AMD, a Threadripper if and when I can afford it. I just don't feel the love with Intel that I have in the past.

[151tom]

.

[BG405]

Cats (the furry kind) have a soft loving side despite their other instincts. These corporate fat-cats, however .. I too am disgusted.

[curtvaughan]

I haven't read anything about AMD behaving the same way as Intel on these CVEs. I imagine that AMD is complicite in keeping this quiet also, but are they AS guilty of our mistrust as Intel?

I am thinking right now that I might move when I build my next system to AMD, a Threadripper if and when I can afford it. I just don't feel the love with Intel that I have in the past.

Believe it or not, the CPU chip technology behind all of this originated logically in the sixties. "Look ahead" predictive behavior was almost an AI technology implemented at the hardware level. What has happened over the last decade or so is that speed and parallel processing in hardware has finally advanced sufficiently for the flaws in the predictive algorithms mated with modern CPU hardware to become more readily apparent and exploitable. I find the corporations at the "teir 1" level have become more culpable over the last year, when the flaws were demonstrated by engineers and computer scientists. The attempt to be secretive about the revelations, once discovered, is definitely a corrupt move meant to maintain sales and profits of demonstrably flawed hardware. The only good thing about this is that it is forcing chip and hardware designers to explore new technologies sans the decades old flaws. I can see its also having a short term influence on pricing of vulnerable hardware currently on the market. Somehow that latest generation I7 chip doesn't look like that great deal.

[curtvaughan]

I haven't read anything about AMD behaving the same way as Intel on these CVEs. I imagine that AMD is complicite in keeping this quiet also, but are they AS guilty of our mistrust as Intel?

I am thinking right now that I might move when I build my next system to AMD, a Threadripper if and when I can afford it. I just don't feel the love with Intel that I have in the past.

Believe it or not, the CPU chip technology behind all of this originated logically in the sixties. "Look ahead" predictive behavior was almost an AI technology implemented at the hardware level. What has happened over the last decade or so is that speed and parallel processing in hardware has finally advanced sufficiently for the flaws in the predictive algorithms mated with modern CPU hardware to become more readily apparent and exploitable. I find the corporations at the "teir 1" level have become more culpable over the last year, when the flaws were demonstrated by engineers and computer scientists. The attempt to be secretive about the revelations, once discovered, is definitely a corrupt move meant to maintain sales and profits of demonstrably flawed hardware. The only good thing about this is that it is forcing chip and hardware designers to explore new technologies sans the decades old flaws. I can see its also having a short term influence on pricing of vulnerable hardware currently on the market. Somehow that latest generation I7 chip doesn't look like that great deal.

[wutsinterweb]

A good article for those not fully aware of some aspects of the problems:

https://www.bloomberg.com/news/features ... ct-like-it

[wutsinterweb]

My brother in law's work computer (he has a lot of them, this is the turnkey one), which I think is AMD based, just exhibited problems, taking all night to update, running as slow as, perhaps a 12 year old system. He knows about Meltdown and Spectre (the latter being the likely issue) and is not sure if it is due to the latest Windows update since he wasn't paying attention. He is about to build a new system as a preemptive step in case his system is starting to fail, but the timing is bad. Of course, it will be an AMD system, he almost never buys Intel products, has a bias about them.

I wonder if we can all benchmark our systems before the spectre fixes land so we can have an intelligable figure as to loss in performance.

I also wonder, what, beyond the usual things, one can do to reduce exposure. I would imagine:

Don't run Javascript code?
Use Sandboxes.
Turn off systems when not needed?
Don't run VMs unless you really have to?

[BigEasy]

Nothing, nothing changed in our behaivour. Everything as usual: don't install software that not in official repo, enable JS only by your choice, update installed in time. That's all.
If tomorrow MeldSpectre will totally fixed, then will no cancellation of those written in bold above.
Please remember, to stole personal secret data there is lot of more simple mass tricks than MeldSpectre (for example, Mint site hack and stolen data in 2016, and some people installed already corrupted OS because of it).
So, take it easy.