Spectre doesn't stand a ghost of a chance on the new Chrome, nor will your available RAM

Subject: General Tech | July 12, 2018 - 02:10 PM |
Tagged: chrome, security, spectre

Chrome's predilection for gobbling up vast amounts of RAM will soon increase to new levels but it is for a very good reason.  Chrome 67 will offer a Site Isolation feature which will protect you against a variety of Spectre attacks.   When you have this feature enabled in Chrome each site would be isolated, with the a single renderer process per page.  This means coss-site iframes and pop-ups will be unable to read data from other pages; in fact a single site may spawn multiple render processes, each running in isolation.

There is of course a cost, The Inquirer was quoted an increase of 10-13% in RAM usage ... so better get a 128GB kit.

d3aql.png

"The new feature basically splits the render process into separate tasks using out-of-process iframes, which makes it difficult for speculative execution exploits like Spectre to snoop on data."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Cortana's feeling vulnerable; that's why she's always eavesdropping on you

Subject: General Tech | June 13, 2018 - 12:39 PM |
Tagged: security, windows 10, cortana, microsoft, spectre

If your Win10 machine did not go beep in the night, you might want to get on that reboot as there are numerous security patches waiting to install.  One of them is a long standing flaw which effects those who haven't disembowelled the Cortana search assistant on their computer.  For those that have managed to subdue Cortana, rest assured she is not listening to you at all times; those who haven't should be aware that she is always listening, even in her sleep.  As creepy as that already is, it has also been a way to take advantage of long standing security flaw in the assistant.   This, as well as a patch for a Spectre variant and a variety of other patches is waiting your installation. 

You can check out information on Cortana's bad habits over at The Inquirer.

dims.jpg

"Lane Thames, a senior security researcher at Tripwire, spoke out about the long-standing flaw with Cortana, that meant the AI helper was always listening for commands, even when a PC is locked."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Podcast #500 - Steam cache, Ultra ultra wide Samsung monitor, and more!

Subject: General Tech | May 24, 2018 - 05:37 PM |
Tagged: Z390, video, steam, spectre, Samsung, QLC NAND, Predator X27, podcast, nzxt, logitech, GTX1050, G513, FreeSync2, corsair, asus, acer

PC Perspective Podcast #500 - 05/24/18

Join us this week for discussion on Steam cache, Ultra ultra wide Samsung monitor, and more!

You can subscribe to us through iTunes and you can still access it directly through the RSS page HERE.

The URL for the podcast is: http://pcper.com/podcast - Share with your friends!

Hosts: Ryan Shrout, Allyn Malventano, Jeremy Hellstrom, Josh Walrath

Peanut Gallery: Ken Addison, Alex Lustenberg

Program length: 1:55:11

Podcast topics of discussion:
  1. 0:07:30 We reminisce about 500 episodes...
  2. Week in Review:
  3. News items of interest:
  4. Picks of the Week:
    1. 1:45:15 Jeremy: Xbox Adaptive Controller
    2. 1:47:25 Josh: How cheap can we go?
  5. Closing/outro
 
Source:

Spectre 3a and Spectre 4 Unfortunately Announced...

Subject: Processors | May 22, 2018 - 07:51 PM |
Tagged: x86, arm, Intel, amd, spectre

Security researchers at Microsoft and Google have found two new vulnerabilities along the lines of the Spectre and Meltdown bugs from early January. These are being called Spectre 3a (Rogue System Register Read) and Spectre 4 (Speculative Store Bypass). Like last time, hardware and software vendors have addressed the issues, which will be coming down via OS updates.

bond-2018-spectre-joke.jpg

Naturally, James Bond will steal information when there's Intel Inside.

On the AMD side of things, they claim that the Spectre 4 vulnerability will be patched as far back as Bulldozer (2011). They also claim that no action will be necessary, at least to their knowledge, for Spectre 3a on their x86 parts. They have also released a short, five-page whitepaper discussing the issue.

On the Intel side of things… a security bulletin has been posted for CPUs as far back as Nehalem. They don’t exactly clarify which processors are susceptible to which vulnerabilities, but they acknowledge that both Spectre 3a and Spectre 4 touch something on their product stack to some extent. They have submitted a beta microcode update to OS vendors, which they expect to be production ready “in the coming weeks”.

ARM is also affected to some extent. They have published a table that lists which architectures are vulnerable to what exploit. Interestingly, there are some processors that are vulnerable to 3a, but not 4, and others that are vulnerable to 4, but not 3a (and, of course, some that are vulnerable to both and neither). Since these exploits are based on optimizations gone awry, you would think that it would have built up over time, but that doesn’t seem to be the case. The only pattern I could notice is that Variant 4 only affects newish 64-bit ARM processors. I don’t know if that’s a red herring, or a well-known corollary of the bug that I just don’t know enough about, but it’s about all that I can see.

Regardless, expect patches soon, which might, again, lower performance by some amount.

Have an old Intel CPU and worry about Spectre V2? We predict that your tastes will branch out soon.

Subject: General Tech | April 4, 2018 - 01:19 PM |
Tagged: Intel, spectre

Processors fabbed by Intel over the last decade are all vulnerable to one of the Spectre vulnerabilities which were revealed, even after the patches and microcode updates which have been released to mitigate the flaw.  It would seem that over 230 models, dating back to 2011, which are still vulnerable to Spectre V2 will remain so indefinitely as fixing the issue is both incredibly complex and not economically beneficial to Intel.  The chipmaker have removed quite a few models from their patching process, The Inquirer links to the full list.

If you have one of these chips, Intel seems to suggest buying a new CPU and motherboard is your best option ... though they don't have to be from Intel, now do they?

byebye.PNG

"INTEL MIGHT NOT BE ABLE to fix the second version of the Spectre flaw that affects more than 230 models of its processors, due to how difficult it is to remove the vulnerability."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Intel promises 2018 processors with hardware mitigation for Spectre and Meltdown

Subject: Processors | March 15, 2018 - 10:29 AM |
Tagged: spectre, meltdown, Intel, cascade lake, cannon lake

In continuing follow up from the spectacle that surrounded the Meltdown and Spectre security vulnerabilities released in January, Intel announced that it has provided patches and updates that address 100% of the products it has launched in the last 5 years. The company also revealed its plan for updated chip designs that will address both the security and performance concerns surrounding the vulnerabilities.

Intel hopes that by releasing new chips to address the security and performance questions quickly it will cement its position as the leader in the enterprise compute space. Customers like Amazon, Microsoft, and Google that run the world’s largest data centers are looking for improved products to make up for the performance loss and assurances moving forward that a similar situation won’t impact their bottom line.

security-wafer-2x1.jpg

For current products, patches provide mitigations for the security flaws in the form operating system updates (for Windows, Linux) and what are called microcode updates, a small-scale firmware that helps provide instruction processing updates for a processor. Distributed by Intel OEMs (system vendors and component providers) as well as Microsoft, the patches have seemingly negated the risks for consumers and enterprise customer data, but with a questionable impact on performance.

The mitigations cause the processors to operate differently than originally designed and will cause performance slowdowns on some workloads. These performance degradations are the source of the handful of class-action lawsuits hanging over Intel’s head and are a potential sore spot for its relationship with partners. Details on the performance gaps from the security mitigations have been sparse from Intel, with only small updates posted on corporate blogs. And because the problem has been so widespread, covering the entire Intel product line of the last 10 years, researchers are struggling to keep up.

The new chips that Intel is promising will address both security and performance considerations in silicon rather than software, and will be available in 2018. For the data center this is the Cascade Lake server processor, and for the consumer and business markets this is known as Cannon Lake. Both will include what Intel is calling “virtual fences” between user and operating system privilege levels and will create a significant additional obstacle for potential vulnerabilities.

The chips will also lay the ground work and foundation for future security improvement, providing a method to more easily update the security of the processors through patching.

By moving the security mitigations from software (both operating system and firmware) into silicon, Intel is reducing the performance impact that Spectre and Meltdown cause on select computing tasks. Assurances that future generations of parts won’t suffer from a performance hit is good news for Intel and its customer base, but I don’t think currently afflicted customers will be satisfied at the assertion they need to buy updated Intel chips to avoid the performance penalty. It will be interesting to see how, if at all, the legal disputes are affected.

meltdown-spectre-kernel-vulnerability.png

The speed at which Intel is releasing updated chips to the market is an impressive engineering feat, and indicates at top-level directive to get this fixed as quickly as possible. In the span of just 12 months (from Intel’s apparent notification of the security vulnerability to the expected release of this new hardware) the company will have integrated fairly significant architectural changes. While this may have been a costly more for the company, it is a drop in the bucket compared to the potential risks of lowered consumer trust or partner migration to competitive AMD processors.

For its part, AMD has had its own security issues pop up this week from a research firm called CTS Labs. While there are extenuating circumstances that cloud the release of the information, AMD does now have a template for how to quickly and effectively address a hardware-level security problem, if it exists.

The full content of Intel's posted story on the subject is included below:

Hardware-based Protection Coming to Data Center and PC Products Later this Year

By Brian Krzanich

In addressing the vulnerabilities reported by Google Project Zero earlier this year, Intel and the technology industry have faced a significant challenge. Thousands of people across the industry have worked tirelessly to make sure we delivered on our collective priority: protecting customers and their data. I am humbled and thankful for the commitment and effort shown by so many people around the globe. And, I am reassured that when the need is great, companies – and even competitors – will work together to address that need.

But there is still work to do. The security landscape is constantly evolving and we know that there will always be new threats. This was the impetus for the Security-First Pledge I penned in January. Intel has a long history of focusing on security, and now, more than ever, we are committed to the principles I outlined in that pledge: customer-first urgency, transparent and timely communications, and ongoing security assurance.

Today, I want to provide several updates that show continued progress to fulfill that pledge. First, we have now released microcode updates for 100 percent of Intel products launched in the past five years that require protection against the side-channel method vulnerabilities discovered by Google. As part of this, I want to recognize and express my appreciation to all of the industry partners who worked closely with us to develop and test these updates, and make sure they were ready for production.

With these updates now available, I encourage everyone to make sure they are always keeping their systems up-to-date. It’s one of the easiest ways to stay protected. I also want to take the opportunity to share more details of what we are doing at the hardware level to protect against these vulnerabilities in the future. This was something I committed to during our most recent earnings call.

While Variant 1 will continue to be addressed via software mitigations, we are making changes to our hardware design to further address the other two. We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3. Think of this partitioning as additional “protective walls” between applications and user privilege levels to create an obstacle for bad actors.

These changes will begin with our next-generation Intel® Xeon® Scalable processors (code-named Cascade Lake) as well as 8th Generation Intel® Core™ processors expected to ship in the second half of 2018. As we bring these new products to market, ensuring that they deliver the performance improvements people expect from us is critical. Our goal is to offer not only the best performance, but also the best secure performance.

But again, our work is not done. This is not a singular event; it is a long-term commitment. One that we take very seriously. Customer-first urgency, transparent and timely communications, and ongoing security assurance. This is our pledge and it’s what you can count on from me, and from all of Intel.

Source: Intel

Unmasking the Spectre; will the new patches cause a performance Meltdown?

Subject: General Tech | February 28, 2018 - 12:59 PM |
Tagged: Intel, kaby lake, Skylake, security, spectre, meltdown

With the new improved Intel patches to protect against Spectre and Meltdown, The Tech Report made the effort to revisit the performance impact you can expect on a system with a Core i7-7700HQ and a Samsung PM961 512 GB NVMe SSD.  Javascript tests show a noticeable drop in performance and while PCMark Essentials total score showed a dip in performance the gaming specific tests did not.  It will be interesting to see if this levels the playing field between Ryzen and Skylake, as the performance delta is already very small.  Check out the full results here.

Alienware-13-e1494615490833-1024x785__94158.1502603207.500.659.jpg

"Intel recently released stable microcode updates to mitigate the Spectre vulnerability on Skylake and newer CPUs. We ran back-to-back tests with and without the patch on one of our Kaby Lake systems to see just how much performance suffers in exchange for safety."

Here is some more Tech News from around the web:

Tech Talk

 

The Spectre of the lakes may have been appeased

Subject: General Tech | February 21, 2018 - 01:20 PM |
Tagged: spectre, Skylake, kaby lake, Intel, coffee lake

Intel has pushed out a new set of microcode patches which should mitigate Spectre on Skylake, Kaby Lake and Coffee Lake.  The new patches come with a feature which customers have been clamouring for; a lack of the spontaneous reboots which plagued systems that had taken advantage of the originally released fixes.  The Inquirer did not receive any information on the performance hit of these new fixes, though they should be comparable to the effect of the originals.  Drop by for more info and links to Intel's patch roadmap.

20491730268_3e0e5d9577_o.jpg

"The latest Spectre-mitigating updates from Intel have passed "extensive testing by customers and industry partners to ensure the updated versions are ready for production," according to Intel's Navin Shenoy. "

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

A quick lesson in bad optics from Intel

Subject: General Tech | January 29, 2018 - 01:26 PM |
Tagged: Intel, spectre, meltdown

This story has initiated a lot of guesswork and is likely not as bad as it is being made out to be, however it is a great example of how not to react to a major flaw.  Without even delving into the selling of Intel stocks, it is already easy to point out how bad the Spectre and Meltdown flaws have been handled; from the initial Microsoft patches offering possible performance degradation to the Intel microcode patches rebooting machines and the final official recommendation to avoid the patches altogether for now.

As Slashdot linked to today, Intel reached out to their major customers before alerting the general public about the issue.  This is a common practice in the industry, to inform vendors, resellers and manufacturing partners about major changes that they will be required to implement to mitigate a patch.  However in these days of 'cyberwarfare', there is some cause for concern that foreign companies may have communicated this information knowingly or not, to their respective governments.  Intel chose not to inform governments directly about the flaws, something which seems like it really should be done in today's world.  It is unlikely anything horrible has happened on a widespread basis because of this flaw and the playing field is now level again; however this remains a great example of how not to deal with the discovery of a major architectural flaw which continues to cause grave security concerns globally.

Spying.jpg

"According to The Wall Street Journal, Intel initially told a handful of customers about the Meltdown and Spectre vulnerabilities, including Chinese tech companies like Alibaba and Lenovo, before the U.S. government. As a result, the Chinese government could have theoretically exploited the holes to intercept data before patches were available."

Here is some more Tech News from around the web:

Tech Talk

 

Source: Slashdot

Intel will be melting down the spectre of insecurity later this year

Subject: General Tech | January 26, 2018 - 12:45 PM |
Tagged: Intel, spectre, meltdown, rumour

Brian Krzanich, still the lead at Intel, announced that new Intel chips will arrive in 2018 which are immune to Spectre and Meltdown.  This is interesting in several ways, and may offer the first really compelling reason to upgrade an Intel system in quite some time.  It is unlikely this new processor will be Cannon Lake as it has been taped out for long enough there are accusations that Intel is purposely holding it back.  It could indicate that Ice Lake will arrive earlier than expected, both to resolve their architectutal flaws and as a counter to AMD's Ryzen and ThreadRipper or possibly only refer to a certain family of mobile or server chips.  It is also unknown what effect the changes will have on the performance of these chips.  The Inquirer would like to know ... about a few things, in fact.

Stacy-Smith-Intel-Manufacturing.jpg

"INTEL CEO Brian Krzanich, he of the conveniently well-timed stock sale, has told investors that the company will launch chips immune to the Meltdown and Spectre vulnerabilities later this year."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer