Major Intel CPU Hardware Vulnerability Found, Could Cost 35% Performance

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,632
OS
Other OS
#42
Remember kids, this isn't the first time Intel has been leaving in backdoors. Anyone remember Creepy Janitor or Ring-2 backdoor? I never trusted Intel and hence, never really purposely purchased desktops with chips based on it.

Intel left a fascinating security flaw in its chips for 16 years – here's how to exploit it
Intel left a fascinating security flaw in its chips for 16 years

There was a reason John Titor time traveled back to get a pristine IBM 5100, he said everything else was compromised after that system. :D
 

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#45
Opcode wrote:
"I believe the government should be able to do their job and monitor people of interest for valid reason, but at the same time I don't think that systems should be left vulnerable for some creepy nerd to remotely access it because a hardware manufacturer felt like cutting corners or for whatever reason."
- I think this same...

Here you have two responses on debate.org:
Is it justifiable to violate certain civil liberties in the name of national security?: Is it justifiable to violate certain civil liberties in the name of national security?
"3000 people perished on 9/11 is not enough to grasp the concept of safety in time of war?
War against terror is a real war, but people don't perceive it as such, because it is different from traditional wars. In times of extreme danger, for the safety of our nation it is vital to use extreme measures to protect the country until the level of danger subside. How many people have to die until this simple concept is assimilated? 3000 people on 9/11 is not enough?"

... and another voice:
"No invasion of my personal privacy, electronic data collection, phone monitoring, internet search monitoring.
I love my country but believe in the constitution that made us willing to fight and die for her over the years. It is obvious that the Patriot Act is the right to abuse Government oversight. The Patriot Act needs to be repealed and a clean slate of electronic assistance into Government monitoring established."

On another thread from debate.org:
"Read "1984" by George Orwell - the constant state of war (or fear) was the ultimate power the government had. Welcome to your future."
 
D

Deleted member 65228

Guest
#46
I think monitoring is fine but only with a valid reason. I don't think having a backdoor ready for usage whenever for everyone is a good idea because that same backdoor can be used by an attacker. I'm no mastermind so I don't know what alternate they can do but point is you don't know who is working at the government using such spy tools and you don't know who is rogue or not so anything can happen with it

But a master decryption key and such is just stupid. Firstly, what are the restrictions? It will likely trigger a war not stop one. What if Russia dislike the US having one which applies for Apple products in Russia as well? Or another country doesn't want another spying with a backdoor in products used by their own government? See?

So I think a country monitoring is far, even over-seas as sometimes it is necessary, but the governments should work more together and be less intrusive as much as possible on citizens they have done checks on to know are genuine and safe

And stuff like being exposed for trying to sabotage Kaspersky, working with another country to hack a security company, making tools capable of framing someone else, etc... well that doesn't make me want to trust said government. Hint hint.
 

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#48
News from Aug 29, 2017:
Now you, too, can disable Intel ME 'backdoor' thanks to the NSA: on csoonline.com: Now you, too, can disable Intel ME 'backdoor' thanks to the NSA
...
Intel refuted those backdoor accusations, saying, “Intel does not put backdoors in its products nor do our products give Intel control or access to computing systems without the explicit permission of the end user. In short, Intel does not participate in efforts to decrease security in technology.”...
...Here comes the good news. As Positive Technologies researchers Mark Ermolov and Maxim Goryachy poked into the firmware, they discovered an undocumented HAP field. HAP, which stands for the High Assurance Platform (pdf) program, was developed by the NSA. The framework was for the “development of the ‘next generation’ of secure computing platforms.”
The researchers discovered an undocumented field called “reserve-hap” and that HAP could be set to “1” for true. ...
...
If you want to disable Intel ME, you should first read the in-depth technical explanation about the researchers finding “an undocumented PCH strap that can be used to switch on a special mode disabling the main Intel ME functionality at an early stage.” Positive Technologies also made its Intel ME 11.x firmware image unpacker utility available on GitHub. Use at your own risk; the methods to disable Intel ME were described as “risky and may damage or destroy your computer.”

_______________

Ah, maybe we have little strap to remove so that the Intel CPU problem disappears suddenly?
Search... and you will find!
 

AtlBo

Level 26
Verified
Joined
Dec 29, 2014
Messages
1,511
Antivirus
Qihoo 360
#49
Opcode wrote:
"I believe the government should be able to do their job and monitor people of interest for valid reason, but at the same time I don't think that systems should be left vulnerable for some creepy nerd to remotely access it because a hardware manufacturer felt like cutting corners or for whatever reason."
- I think this same...
If they were willing to be sincere and transparent with everyone, there could be a system that everyone can live with across the board...business to gamers.

Intel refuted those backdoor accusations, saying, “Intel does not put backdoors in its products nor do our products give Intel control or access to computing systems without the explicit permission of the end user. In short, Intel does not participate in efforts
I appreciate what Intel says here, but if Intel had helped the U.S. government develop back door technologies to be built into their products, would anyone ever believe Intel wouldn't just blatantly lie about doing so? Well, If indeed everyone started expecting answers about connections between the U.S. government and Intel and Microsoft and so on that were true, we would be about 99% likely to get lies from Intel or whoever was involved. These lies would be STONE COLD too. No apologies and no regrets. No amateur hour lies...professionally scripted like there's no tomorrow lies.

I hope that the U.S. government didn't get into business with Intel or Microsoft or any of the communications companies on any level, and I hope vice versa also. I also hope Intel can come up with a quick answer to this gigantic dilemma. However, if Intel and or MS did get involved with government on any level other than to be on the same page about developing a securable structure to the internet and a securable structure for communications (if there was wanton careless disregard for the well-being of good people on any level in any collaboration between the entities), I know it will come to light. In that case, the difficulties that would surely follow would be deserved by all involved parties.

Government in the U.S. exists only to look after the interests of the people. American law considers a company a person, but any association with communications or computer related businesses is outside the scale of reasonable for the American government to attempt. This kind of association is completely unmanageable for a government agency. The CIA would be turned into the keystone cops trying do business with the individuals who represent these companies. No, American government needs a system that guarantees them that they can monitor communication passively (computer searching for potential dangers) for dangerous activities, but anything beyond that is foolishness and contempt for common sense.

Honestly, it seems normal to me that the U.S. government should be working with the communications/computer industry at the present time. However, they should be working together with a clear understanding that they have separate interests. Whatever is going on, they don't seem to have this for now. Ultimately, the U.S. government can buy American businesses security and peace of mind by being able to monitor passively and generically. They can deliver this through simple CIA automated analysis of communications traffic...that is whatever they are able to monitor. The rest will be up to the operatives within that agency. Business keeps the U.S. military in its uniforms and the CIA and the rest ot them staffed. These entities have got to start being real with each other at some point. The sooner the better.

Ah, maybe we have little strap to remove so that the Intel CPU problem disappears suddenly?
Search... and you will find!
Yes, I have to believe they will come up with something better than a new processor for everyone. Seriously...:rolleyes:

And stuff like being exposed for trying to sabotage Kaspersky, working with another country to hack a security company, making tools capable of framing someone else, etc... well that doesn't make me want to trust said government. Hint hint.
100% the worst sign to see from the American government. With this government, where there is smoke, there is fire. I know by the end of all of the struggles of the PC industry, everything will be sorted out properly. It's a pretty rough ride, though...
 

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,632
OS
Other OS
#51
Intel response is lame as heck.

"Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. "

So it's not a bug or flaw but it requires software patching to fix the non-bug and non-flaw that will reduce performance by up to 35%+? Sounds good intel, keep talking... Then there is this gem;

“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time,”

35% isn't significant? Own up to this Intel, you skirted security and common sense to squeak out more speed and hoped nobody would find out. Your CEO dumped his stock after finding out others knew and it would be disclosed.

Intel Responds to Security Research Findings
 
Last edited:

AtlBo

Level 26
Verified
Joined
Dec 29, 2014
Messages
1,511
Antivirus
Qihoo 360
#54
Intel believes these exploits do not have the potential to corrupt, modify or delete data.
What about steal data? WHAT are they attempting with this statement? Intel should be silent on the data security issue other than to say the issue is being looked into and that there will be patches for some things which should should safeguard data from data theft in the short term.

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
This sounds like a complete attempt at redirection. In the opening, this statement says, "Intel believes these exploits do not have the potential to corrupt, modify or delete data." Now they say their products are as unsafe as everyone else's? This is gibberish. Unsafe is unsafe, and unsafe is headed for lawsuits if it doesn't come up with answers fast. It's seriously that simple. "Tolerate my unsafety like everyone else's"....puleez...:LOL: They'll have their day in court if their product(s) is/are unsafe, Intel.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Now they AGAIN admit there is an issue with their product and then that there will be a performance problem, all the while dragging AMD into the issue. The statement comes across like a child who just broke some valuable antique. Well, unfortunately, think I hear a lawsuit coming from AMD if they're processors don't have this issue, and Intel's do. On performance, of course, they probably know how much truth there is to the concerns over performance loss. Yet, Intel is not being straight here with the simple truth about their processors. Either they are compromisable or not. If they are, all they should say is that they are working on the issue. They should be the same way about the performance issue.

Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Hope this is true, but we will find out. Also, this statement is a tap dance. It's absurd to hear this from individuals representing the best of technology and its single ability to empower humans for greatest success.

Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.

Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
Translated..."We're going out for a beer you guys. Don't pay any attention to what anybody says about us or how unsafe our products are to use. Just get the patch, bro...Srsly, you didn't need that processor power...c'mon..." :devil:

If Intel has issues with what's being said, because they have facts to the otherwise, they should just say they have facts. I expect a whole lot better than this statement from a corporation in this situation. This should have been a short statement citing security reasons for saying that there will be information on the issue later. Leave it right there for now. The whole article comes across as intentional vaguery...or drunken babble. (n):(

It's a bad statement, but I do hope the problem is overstated. IDK what to say. I guess we will have to wait like everyone else and see what happens in the next several days.

EDIT: I am really concerned now that I think about it about the omission of data theft from Intel's second sentence in this statement. Looking at this statement again, it almost reads like Intel is trying to omit data theft from the issue. Almost seems like they could be trying to cover up something here to me. Not to say it's true, but reading the statement carefully really concerns me. First, "there have been rumors that data can be stolen". But then there is, "Intel believes these exploits do not have the potential to corrupt, modify or delete data." NO mention of stealing data. Looks so much like an attempted deflection to me. And why isn't data theft mentioned? I don't like this from Intel one bit, and I think people are going to see through to what isn't being said here...
 
Last edited:

Danielx64

Level 10
Verified
Joined
Mar 24, 2017
Messages
472
OS
Windows 10
Antivirus
ESET
#55
Hmmm even worse than everyone think it is, could have been around since 1995.....

Critical flaws revealed to affect most Intel chips since 1995

Just hours after proof-of-concept code was tweeted, security researchers have revealed the long-awaited details of two vulnerabilities in Intel processors dating back more than two decades.

Two critical vulnerabilities found in Intel chips can let an attacker steal data from the memory of running apps, such as data from password managers, browsers, emails, and photos and documents.

The researchers who discovered the vulnerabilities, dubbed "Meltdown" and "Spectre," said that "almost every system," since 1995, including computers and phones, is affected by the bug. The researchers verified their findings on Intel chips dating back to 2011, and released their own proof-of-concept code to allow users to test their machines.

"An attacker might be able to steal any data on the system," said Daniel Gruss, a security researcher who discovered the Meltdown bug, in an email to ZDNet.

"Meltdown is not only limited to reading kernel memory but it is capable of reading the entire physical memory of the target machine," according to the paper accompanying the research.

The vulnerability affects operating systems and devices running on Intel processors developed in the past decade, including Windows, Macs, and Linux systems.

AMD chips are affected by some but not all of the vulnerabilities. AMD said: "Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time."
 
D

Deleted member 65228

Guest
#56
The researchers who discovered the vulnerabilities, dubbed "Meltdown" and "Spectre," said that "almost every system," since 1995, including computers and phones, is affected by the bug. The researchers verified their findings on Intel chips dating back to 2011, and released their own proof-of-concept code to allow users to test their machines.
Lol if a PoC source code goes out, it is gonna get copy pasted and used. That is common sense
 

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#57
AtlBo wxrote:
"Translated..."We're going out for a beer you guys. Don't pay any attention to what anybody says about us or how unsafe our products are to use. Just get the patch, bro...Srsly, you didn't need that processor power...c'mon..." :devil:"


- New Intel statements do not improve the company's image.
On the contrary, they are in the process of sinking like children, who are surprised to do bad, strange things, their faces can be reddish with shame....?

Only truth will set you free.
 

LASER_oneXM

Level 28
Content Creator
Verified
Joined
Feb 4, 2016
Messages
1,773
OS
Windows 8.1
Antivirus
Kaspersky
#58
source (bleepingcomputer.com): OS Makers Preparing Patches for Secret Intel CPU Security Bug

Work on patching the issue started a few months back
Experts first started speculating that something was afoot in November last year when the Linux project added support for a new security feature called Kernel Page Table Isolation (KPTI).


As described at the time, KPTI would work by separating the kernel memory space from the memory space accessed by normal (usermode) processes.

Up to that point, kernel operations and usermode processes shared the same memory space, but were separated inside different "virtual" memory spaces.

Some of the world's leading kernel experts believe someone found a way to reveal the (supposed-to-be-secret) memory location of kernel code via an exploit delivered via a user-level process, and then read the content of that memory.
Patches coming to cloud services, Linux, Windows
Linux maintainers have already shipped versions of the Linux kernel containing the said fixes. Microsoft has also released fixes, but only for Windows Insiders builds, with patches for for mainstream Windows branches expected next week. Apple reportedly patched the issue in macOS 10.13.2.

Cloud providers such as Google, Amazon, and Microsoft are set to patch issues this and next week, with companies announcing customers of planned downtime.
Many users fear performance dip for Intel CPUs
Experts who analyzed the new KPTI security feature said that by separating kernel and usermode memory spaces, processing speed will be affected and some systems may see a performance dip.


Some tech and hardware blogs have already started benchmarking CPU performance for operating systems before and after the patch, and some have reported performance dips. Nonetheless, readers should take into consideration that these are in-dev OS versions and the patched OSes may receive further patching and optimization.
 

Danielx64

Level 10
Verified
Joined
Mar 24, 2017
Messages
472
OS
Windows 10
Antivirus
ESET
#59
"Some tech and hardware blogs have already started benchmarking CPU performance for operating systems before and after the patch, and some have reported performance dips. Nonetheless, readers should take into consideration that these are in-dev OS versions and the patched OSes may receive further patching and optimization."

Thank god for that, I would hate to see my CPU slow down because of this security issue.