If accurate, this doesn't look good (for many applications): http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
This is horrifying. [:@] I hope it turns out not as bad as initially reported.
My opinion: It's much too early to judge. Not enough info has been released and much of what is in the articles I've read is speculative. Early reports on the Linux patch show about 15-17% on some apps. Games don't seem to be affected, again on Linux patch. It seems it may affect IO intensive apps and virtualization platforms the most, which hits Logos. There's much speculative wording in every article I read. I would guess that once the security flaw is patched, there will be another round or two of patches, finding ways to optimize. Most newer CPUs may be less affected by the issue. AMD CPUs do not have the flaw, but it's unclear whether the OS patches will apply the security fix to both; it's reported that the Linux patch does apply the fix to both processors. This issue affects every PC or device using an Intel chip, independent of OS, so it impacts Windows, Mac, and Linux users.
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
There's a fairly lengthy discussion on Slasdot and the consensus is that this only effects Intel processors. https://it.slashdot.org/story/18/01/02/221254/kernel-memory-leaking-intel-processor-design-flaw-forces-linux-windows-redesign Once the patches are available next week and the embargo on reporting is lifted we should know exactly what the problem is and how effected each of our personal computers may be. Either way, as Intel admits, it's not a question of if but of how much our computers are going to be slowed down. I smell class actions in the air. Do you? It reminds of the Pentiums that couldn't do math. That fiasco was minor compared to this.
There's a fairly lengthy discussion on Slasdot and the consensus is that this only effects Intel processors.
If that's what it's still saying, it's wrong. https://www.nytimes.com/2018/01/03/business/computer-flaws.html
There are two vulnerabilities, "Meltdown" and "Spectre."
The Meltdown flaw is specific to Intel, but Spectre is a flaw in design that has been used by many processor manufacturers for decades. It affects virtually all microprocessors on the market, including chips made by AMD that share Intel’s design and the many chips based on designs from ARM in Britain.
Also of significance is that there is apparently no microcode or software fix for Spectre. Only new CPUs can correct the problem. That's the latest I've seen on the issue, through last night and into this morning (Thu Jan 4).
-Donnie
Spectre is concerning.
The slowdown patch for Meltdown is available since last night from Microsoft Windows Update. (I did not do any prep for benchmarking it.)
Security papers posted at => https://meltdownattack.com/ has Questions & Answers that includes:
Meltdown and Spectre"> Which systems are affected by Meltdown? Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown. Which systems are affected by Spectre? Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors. What is the difference between Meltdown and Spectre? Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and Spectre) Why is it called Meltdown? The bug basically melts security boundaries which are normally enforced by the hardware. Why is it called Spectre? The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and Spectre)
The bug basically melts security boundaries which are normally enforced by the hardware.
The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.
Haunting refrain may provide incentive for future computer purchase.
Keep Smiling [:)]
The slowdown patch
Intel and ARM insisted that the issue was not a design flaw, although it will require users to download a patch and update their operating system to fix.
“Intel has begun providing software and firmware updates to mitigate these exploits,” Intel said in a statement, denying that fixes would slow down computers based on the company’s chips. “Any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
The Guardian 4/1/18
"and will be mitigated over time"????
Translated: As people buy new CPUs which don't inherently have these flaws, previous performance characteristics will be restored.
Love it!!
"and will be mitigated over time"???? Translated: As people buy new CPUs which don't inherently have these flaws, previous performance characteristics will be restored.
More likely translation: "Microsoft have done an emergency patch that fixes the security, but they haven't had time to optimise the performance of the patch yet. But they will."
"and will be mitigated over time"???? Translated: As people buy new CPUs which don't inherently have these flaws, previous performance characteristics will be restored. More likely translation: "Microsoft have done an emergency patch that fixes the security, but they haven't had time to optimise the performance of the patch yet. But they will."
I was serious. It was Intel’s quote, not Microsoft’s.
https://spectreattack.com/
I encourage everyone to scroll down and watch at least the second video.
I am running latest beta (7.12.0.0020) on MacOS latest beta (10.13.3). I have not encountered any unexpected performance issues. MacOS 10.13.2 is already patched and 10.3.3 is better. I cannot speak for anyone else's personal machine performance.
My questions are:
Has Faithlife patched their servers?
If not, when?
When will we be notified that our data on their servers is safe from these possible exploits?
I am not paranoid or too worried as there are no known problems reported in the wild yet. It is only a matter of time before the exploit is standard in black hat tool kits. I know that the FL is more than competent and capable of handling their end of this.
On the Mac side
As far as Meltdown is concerned, Apple's "Double Map" mitigation on 10.13.2 works and is already in place. NDAs on developers prohibit info on 10.13.3 from being disclosed at this point. On iOS 11.2 mitigation is already in place.
The Safari mitigation for Spectre is expected soon to protect browser transmitted data.
Performance data is now available.
The bottom line seems to be that the Windows patch to fix Meltdown saw small performance drops for some operations when writing to the SSD. A BIOS patch to mitigate Spectre showed more significant performance drops (15-20%) for many operations when reading/writing to the SSD.
Given that most of us probably won't receive BIOS updates, and that Logos rarely writes to the SSD for sustained periods (really only when indexing or updating the library catalog), I doubt many of us will even notice any performance drop, if there is one.
Thank you for sharing that info. I have faith that the mitigation efforts will improve and that the performance losses will decrease for Meltdown. I believe that the Spectre issues will greatly depend on ISP and network speeds. I could be wrong on that, but that is what I am thinking now.
