Slyguy

Level 43
If not AMD Ryzen, I would just go for Intel Core i5. :D I don't consider buying i9, heck even i7. :D
My reason for going for Ryzen is not so much about the vulnerability (I know Ryzen is affected by Spectre), but really I just want to feel the hype about the new chip. :D
Get a Ryzen, AMD announced price drops close to $100 per CPU on them already.

Also, anyone saying this is hyped probably isn't aware of the enterprise/corporate landscape which makes this a really big deal. We're seeing performance hits across the board with intel that aren't easily mitigated. On our Azures we're having to pay for extra CPU cycles from MS which is going to drive up the cost of those vdoms a good bit. (probably a lot) This changes the entire operation of some of our solutions engineering. This has put hundreds of thousands of dollars in projects on hold for re-evaluation. We've fielded hundreds of calls from clients regarding real, measurable slowdowns on their systems and servers, all of those calls have to be addressed.

The real issue isn't so much there were backdoors in CPU's, but rather the performance impact of the fixes. A general consumer won't be as heavily impacted by this but everyone else will be. The 'speed at any cost' reckless development of Intel may cause issues for some time to come. We're forced to put out an email blast to our any thousands upon thousands of customers today to address this and rest assured, blame will be squarely placed where it needs to be placed and we will be encouraging our customers to join any litigation against involved parties.

Imagine explaining to a customer why their 100 server cluster(vm) suddenly has a 18-30% performance drop across each 100 virtualizations of 2008R2? Yeah, it's been a rough week so far..
 

In2an3_PpG

Level 17
Verified
Content Creator
Performance Hit: Meltdown and Spectre Patches Slow Systems

Intel, Microsoft and Linux Confirm Slowdowns - Especially For Servers, Older PCs

Performance Hit: Meltdown and Spectre Patches Slow Systems


After getting a Meltdown and Spectre firmware fix, platforms combining Intel's latest, 8th-generation chip with solid state storage run on average 6 percent more slowly. Older systems will likely see more pronounced slowdowns.

Security researchers, operating system developers, microprocessor engineers and others are creating patches to help defend against the three memory corruption flaws collectively known as Meltdown and Spectre.

See Also: How to Scale Your Vendor Risk Management Program

But the fixes carry a performance cost, in part because the "side-channel attacks" exploit a physical feature built into modern microprocessors that speed up operations. At least so far, safeguarding against attacks has required sacrificing speed.

On the upside, security researchers say that patches can help block exploits that target Meltdown and Spectre, which were first publicly disclosed on Jan. 3 and which affect millions of modern computing devices based on Intel, ARM and AMD chips. That includes not only PCs and smartphones, but also enterprise appliances and servers used in data centers that process large workloads (see Meltdown and Spectre Forecast: Patch Now and Keep Patching).

Intel, whose chips are most exposed to the flaws, on Tuesday reported that based on its PC benchmarking tests of 8th Generation Core platforms - its most modern processor, introduced last October - with solid state storage, it saw processor performance decrease by 2 percent to 14 percent, with an average 6 percent reduction, after installing patched firmware. The performance degradation for older processors and systems with hard disk drives would likely be more severe.

Intel is already facing multiple U.S. class action lawsuits filed over the flaws.

But with firmware and software updates continuing to roll out, there's no accurate view yet of the performance costs that patching may incur. "It is important to note that many of the benchmarks published so far do not include both OS and silicon updates," Terry Myerson, executive vice president for Microsoft's Windows and devices group, says in a Tuesday blog post.

For maximum assurance against Meltdown and Spectre, organizations could "replace CPU hardware," which was the only solution first offered by Carnegie Mellon University's CERT Coordination Center (see Serious Meltdown and Spectre Flaws Make CPUs Exploitable). But CERT/CC later revised its recommendation to only read "apply updates." CERT/CC didn't immediately respond to a request for comment about what led to its revision.

Regardless, for most organizations, ditching their silicon outside of standard refresh cycles would be prohibitively costly. Furthermore, chips that lack the flaws still lie in the future.

"Obviously it'll need to be designed out in the microarchitecture of future chips, but the interesting technical question is how can they maintain performance without the sort of mechanism that this is exploiting," says Alan Woodward, a professor of computer at the University of Surrey.

Service Providers See Slowdowns
As Intel's tests demonstrate, at least some devices patched against Meltdown and Spectre will experience reduced performance.

Already, some cloud service providers and web services have reported seeing slowdowns. On Friday, U.S. videogame company Epic Games, which develops such titles as Unreal, Gears of War and Infinity Blade, blamed "recent login issues and service instability" on its Meltdown patches.

"All of our cloud services are affected by updates required to mitigate the Meltdown vulnerability," it said. "We heavily rely on cloud services to run our backend and we may experience further service issues due to ongoing updates."


The green line shows the increase in CPU usage for one of the three cloud service hosts used by Epic Games to host its Fortnite game, after its cloud service patched on Jan. 4 to address the Meltdown vulnerability. (Source: Epic Games)
Ian Chan, director of engineering for business analytics platform BranchMetrics, also reported seeing a significant performance impact after Spectre patches - not Meltdown, as he first suspected - were applied to the company's Amazon Web Services instances.

View image on Twitter

Ian Chan@chanian

The #Meltdown patch (presumably) being applied to the underlying AWS EC2 hypervisor on some of our production Kafka brokers [d2.xlarge]. Ranges from 5-20% relative CPU increase. Ooof.

8:46 PM - Jan 5, 2018
Twitter Ads info and privacy




Microsoft Confirms Slowdowns
Benchmark tests remain underway, as do efforts by everyone involved to iteratively design new patches that reduce performance penalties associated with the three vulnerabilities:




    • Spectre: Refers to attack variant 1, a bounds check bypass (CVE-2017-5753), as well as variant 2, a branch target injection (CVE-2017-5715), which can be used to take advantage of CPU timing to read kernel memory.
    • Meltdown: Refers to variant 3, which is a rogue data cache load (CVE-2017-5754) that can be used to read kernel memory.
"In general, our experience is that variant 1 and variant 3 mitigations have minimal performance impact, while variant 2 remediation, including OS and microcode, has a performance impact," Microsoft's Myerson says.

Windows Benchmarks
Benchmarks of Windows 10 running on 2016-era PCs or newer - with Skylake, Kabylake or newer CPUs - have on average seen "single-digit slowdowns" that Microsoft says shouldn't be noticeable. But running Windows 10 on older systems get noticeably slower, he says.

Meanwhile for users of older operating systems and hardware, "we expect most users to notice a decrease in system performance" in part due to operating system design," he says. "Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel."

And all Windows Server instances, regardless of how new the underlying hardware might be, will experience a "significant performance impact" if administrators follow Microsoft's Meltdown and Spectre security recommendation to isolate untrusted code within each server instance, if such code might pose a risk, Myerson says. "This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment."

Kaiser's Cost
Linux servers face similar challenges.

Linux introduced its first fix for Meltdown and Spectre last November in the form of Kaiser, short for "kernel address isolation to have side-channels efficiently removed." At the time, Jonathan Corbet, a technical advisory board member for The Linux Foundation, said that Kaiser created a "performance penalty" which in worst-case examples appeared to slow systems by nearly one-third.

"Kaiser will affect performance for anything that does system calls or interrupts: everything," he said. "Most workloads that we have run show single-digit regressions. Five percent is a good round number for what is typical. The worst we have seen is a roughly 30 percent regression on a loopback networking test that did a ton of syscalls and context switches."

Linux creator Linus Torvalds on Jan. 3 blasted Intel's engineers over the flaws and users' inability to disable Intel's workarounds. Unless Intel committed itself to fixing the problems, he added, "maybe we should start looking towards the ARM64 people more."

Linux Performance Questions
Jon Masters, Red Hat's chief ARM architect, has confirmed that addressing variant 2 creates a "not insignificant" slowdown for processors. "Red Hat's patches will default to implementing the security change and accepting the performance impact, but we've also added system administrators the ability to toggle this - and all the implemented settings - on or off," he says.

Again, benchmark tests remain underway. "Actual performance impact numbers will depend on the software and environment in question," Andy Patel, a security researcher for Finnish anti-virus firm F-Secure, says in a Tuesday blog post. Servers will likely see the biggest impact, he says, while home machines may see no noticeable impact at all.

Meanwhile, Linux systems designed to mine cryptocurrency such as bitcoin and monero don't appear to be affected, Patel says. "Mining, whether CPU- or GPU-based, shouldn't be affected - there shouldn't be any syscalls in mining loops," he says. "Monero - a CPU-based miner - network hashrate appears largely unchanged since the patch.

Recommendation: Patch
Despite the performance problems, the prevailing information security wisdom is for everyone to begin patching immediately and to keep patching.

Britain's National Cyber Security Center, part of intelligence agency GCHQ, says consumers should install patches as soon as they're available as well as "enable automatic updates so that future security measures are installed for you."

Chips require firmware updates; Intel's chips appear to be most affected. But some older AMD chips have been left unbootable by Microsoft's first security update designed to address the flaws. Microsoft and AMD says they're working on fixes (see Microsoft Pauses Windows Security Updates to AMD Devices).

Apple, Google, Linux, Red Hat and Suse have released operating system updates that begin to address Meltdown and Spectre, as has Microsoft, which says that so far it's shipped patches for 41 of the 45 editions of Windows it supports. All browser makers have also shipped updated software - or plan to soon do so - that is designed to address the flaws.

Intel began sending firmware updates to manufacturers last month. "For Intel CPUs introduced in the past five years, we expect to issue updates for more than 90 percent of them within a week, and the remainder by the end of January," Intel says. "We will continue to issue updates for other products thereafter." Then it will be up to device manufacturers to update the software and distribute it to users. There are no guarantees on when - or in some cases if - that will happen.

Guidance for Enterprise Administrators
As patches and updates do become available on all fronts, however, NCSC recommends organizations install them as quickly as possible. But of course enterprise administrators must also identify all vulnerable cloud services, data centers and servers, end user devices as well as applications and software used by their organization, and then track what promise to oftentimes be multiple waves of patches for any given device or service.

Many major enterprise vendors - ranging from Cisco and Dell to IBM and Juniper - among others - have confirmed that at least some of their products are at risk from Meltdown and Spectre and say they don't yet have a full picture.

For all hardware devices, NCSC says, "it's not sufficient just to update the operating system - you will need to check that the underlying firmware is also up to date." While blocking Meltdown only requires software fixes, defending against Spectre requires both firmware and software fixes.

 

Slyguy

Level 43
One more thing, if you think Intel will skate free from this, think again. The first question out of most of our customers is 'What Intel alternative can you recommend?". Word is, the big boys are also in talks to speed alternatives to intel into the business solution channels.

One major supplier's words to me "Intel can F itself, we're done.". Remember, it's companies like Dell, HP, Lenovo, etc that are going to be dealing with the top level fallout from this directly. Either with extensive man-hours on support and patching, or simply from angry customers, all of the way down to customers demanding non-Intel solutions.

The industry will respond and Intel won't like the result.

Cloud Providers Are Considering Intel Rivals After Meltdown, Spectre Chip Flaw Discoveries
 

Faybert

Level 22
Verified
Malware Hunter
If not AMD Ryzen, I would just go for Intel Core i5. :D I don't consider buying i9, heck even i7. :D
My reason for going for Ryzen is not so much about the vulnerability (I know Ryzen is affected by Spectre), but really I just want to feel the hype about the new chip. :D
The same thing here, if it is to buy a new one, it will be an i5.
 

Vasudev

Level 30
Verified
As promised in MEI SA0086 thread, the CPU microcode updater is ready to be applied on all Intel machines affected by Meltdown & Spectre. This updater is the only way to fix EOL machines.
@Jack @Umbra @rockstarrocks @Opcode @SHvFl @BoraMurdar @frogboy @Deletedmessiah @Captain Awesome and all members of MT.
Here is the link [WARNING] Intel Skylake/Kaby Lake processors: Broken HT on Laptops & PC [Fix is here]
You can see the next page and see that the CPU performance isn't affected at all microcode patch and simply fixes the issues if vendor is taking long time to patch the BIOS.
I Hope everyone find it useful.
 

rockstarrocks

Level 20
Verified
As promised in MEI SA0086 thread, the CPU microcode updater is ready to be applied on all Intel machines affected by Meltdown & Spectre. This updater is the only way to fix EOL machines.
@Jack @Umbra @rockstarrocks @Opcode @SHvFl @BoraMurdar @frogboy @Deletedmessiah @Captain Awesome and all members of MT.
Here is the link [WARNING] Intel Skylake/Kaby Lake processors: Broken HT on Laptops & PC [Fix is here]
You can see the next page and see that the CPU performance isn't affected at all microcode patch and simply fixes the issues if vendor is taking long time to patch the BIOS.
I Hope everyone find it useful.
Thanks Vasu, I will try that tonight. Let's hope it goes smoothly.
 
5

509322

Woops :(

This is what happens when there is so much info in one topic
The topic has long since passed the point of information sprawl and over-kill.

With a matter such as this, information necessarily will be revised weeks or months later - but none of those revisions will get posted or distributed anywhere near the extent as the initial overkill - and that is unfortunate.
 

Slyguy

Level 43
Top Secret as in.. Top Secret like, Govt. top secret or Intel top secret?

How an industry-breaking bug stayed secret for seven months
They thanked Schwarz for his contribution, but told him what he had found was top secret.

I'm thinking years ago he might have 'suicided' or had a 'heart attack', perhaps some other unfortunate event. But the assumption these days is - if someone knows then many people probably already know as well. Which makes keeping people quite way harder.
 
Last edited:

Slyguy

Level 43
In related news.. Power Wash your chromebooks, tick on 'Update Firmware' during the powerwash, and you might just get the kernal upgrade. They're pushing now on vulnerable books. (however few that is)
 
Last edited:

NormanF

Level 1
The hysteria is just nuts!

I've been running various Intel and AMD systems for the past generation and have NEVER encountered any hardware vulnerability.

This isn't even worth wasting time on and most people never see an attack on their PCs.
 
D

Deleted member 65228

This isn't even worth wasting time on and most people never see an attack on their PCs
Tell that to the millions of people who have been infected over the recent years. Tell that to the NHS who had their systems breached and destructed by the WannaCry ransomware. Tell that to the millions who have seen the Zeus banking malware in action. SpyEye, Carberp, Petya, NotPetya, BadRabbit, Rombertik, the list goes on. Between 2013-2014, over half a million systems became compromised with the CryptoLocker malware, which belongs to the ransomware family, and relied on strong RSA encryption for the affected documents.

People's systems do get regularly attacked, both home and business users - attacks are doubling each year despite media which says the opposite. The difference is typically in the complexity of the attack. However, hardware/firmware exploitation is indeed a rare thing and the chances of the Meltdown/Spectre vulnerability being leveraged in a real attack scenario any-time soon is extremely slim in my opinion.

Never count your chickens. This is a game of cat and mouse which has no ending.
 

Slyguy

Level 43
The hysteria is just nuts!

I've been running various Intel and AMD systems for the past generation and have NEVER encountered any hardware vulnerability.

This isn't even worth wasting time on and most people never see an attack on their PCs.
Did you register an account just to come here and tell us that everything is fine and to ignore all of the issues?

First, while I agree there is some hysteria, we're also seeing moderate voices in the IT world chime in with a sense of urgency. This is a big problem and nobody is denying that (Except for perhaps Intel - and you). Microsoft originally planned a patch Tuesday rollout but felt the need to start the rollout on the Friday before, was Microsoft succumbing to the hysteria or were they legitimately worried it could be exploited in short order?

How do you know you've never encountered any hardware vulnerability? Do you have the knowledge to spot one, to know when one was exploited? Do you know all of your data in the cloud hasn't been subjected to one? You don't, so your statement isn't valid.

I'd wager most people DO have an attack on their PCs. In fact, I see it consistently, daily, and with alarming regularity now. I spent the better part of today assigning technicians to clean up machines that were attacked. The plethora of attacks, malware, vulnerabilities and the booming IT Security, PC Security, Antivirus/Anti-Malware businesses all tend to disagree with you. If there wasn't an intense need for all of it then nobody would pay attention to it - and you might have a point but that isn't the case. Remember, at this point it's not all about vulnerabilities, but those darn slowdowns. Which in some cases are pretty significant.

Your last statement I would agree with - if you were referring to Linux or ChromeOS computers. You aren't, so the statement is largely conjecture.
 
Last edited:

NormanF

Level 1
Tell that to the millions of people who have been infected over the recent years. Tell that to the NHS who had their systems breached and destructed by the WannaCry ransomware. Tell that to the millions who have seen the Zeus banking malware in action. SpyEye, Carberp, Petya, NotPetya, BadRabbit, Rombertik, the list goes on. Between 2013-2014, over half a million systems became compromised with the CryptoLocker malware, which belongs to the ransomware family, and relied on strong RSA encryption for the affected documents.

People's systems do get regularly attacked, both home and business users - attacks are doubling each year despite media which says the opposite. The difference is typically in the complexity of the attack. However, hardware/firmware exploitation is indeed a rare thing and the chances of the Meltdown/Spectre vulnerability being leveraged in a real attack scenario any-time soon is extremely slim in my opinion.

Never count your chickens. This is a game of cat and mouse which has no ending.
The article didn't discuss malware infections. It discussed an Intel hardware vulnerability. LIke I said and you sgreed, an attack on that vector is exceedingly remote. Hardware failure is possible but is usually repairable. And flaws in PC hardware are rarely of a magnitude sufficient to compromise the safe running of the PC itself.
 

NormanF

Level 1
Did you register an account just to come here and tell us that everything is fine and to ignore all of the issues?

First, while I agree there is some hysteria, we're also seeing moderate voices in the IT world chime in with a sense of urgency. This is a big problem and nobody is denying that (Except for perhaps Intel - and you). Microsoft originally planned a patch Tuesday rollout but felt the need to start the rollout on the Friday before, was Microsoft succumbing to the hysteria or were they legitimately worried it could be exploited in short order?

How do you know you've never encountered any hardware vulnerability? Do you have the knowledge to spot one, to know when one was exploited? Do you know all of your data in the cloud hasn't been subjected to one? You don't, so your statement isn't valid.

I'd wager most people DO have an attack on their PCs. In fact, I see it consistently, daily, and with alarming regularity now. I spent the better part of today assigning technicians to clean up machines that were attacked. The plethora of attacks, malware, vulnerabilities and the booming IT Security, PC Security, Antivirus/Anti-Malware businesses all tend to disagree with you. If there wasn't an intense need for all of it then nobody would pay attention to it - and you might have a point but that isn't the case. Remember, at this point it's not all about vulnerabilities, but those darn slowdowns. Which in some cases are pretty significant.

Your last statement I would agree with - if you were referring to Linux or ChromeOS computers. You aren't, so the statement is largely conjecture.
I've never had a software-related infection of my PCs because I followed safe computing practices. With regard to the Intel CPU vulnerability found, sure it could be patched. But as we have learned from Microsoft's efforts to patch the Spectre/Meltdown flaw affecting Intel/AMD chips, the patch bricked AMD PCs and rendered them unbootable. Sure, security is important but an obsession with it can sometimes do more harm than good. In the real world, we have to decide if a threat is serious enough that addressing it won't create other problems with our PCs.
 
5

509322

However, hardware/firmware exploitation is indeed a rare thing and the chances of the Meltdown/Spectre vulnerability being leveraged in a real attack scenario any-time soon is extremely slim in my opinion.
Average malc0der is not in that game. If it was dropped into their lap they would not know how to leverage it. And they don't have the resources to scale it.