And here’s the HN conversation:
2 Likes
Spectre is the name of the second exploit affecting AMD and Intel
4 Likes
8 Likes
This was a good Twitter thread:
https://twitter.com/nicoleperlroth/status/948684376249962496
Intel’s official response is misleading; there are essentially two classes of attacks and Intel’s chips are vulnerable to the more easily exploited class, with AMD apparently being immune to that particular one; the Linux patch only modifies behavior on Intel for this reason.
Also it’s pretty interesting that no one even considered timing attacks on chip level features before; this seems like the kind of thing that should have been obvious in retrospect (like Columbus’s egg).
7 Likes
Given how far back this reaches, I get the impression that 32 bit systems are not immune, but I haven’t read anything definitive yet…
Intel and AMD have got to be hoping that class actions get upper-limited by sympathetic judges, or this could be catastrophic for them.
In the meantime, maybe programmers will start tightening up sloppy code… Who am I kidding?
5 Likes
No, they don’t mean that. It is all Intel chips in the last 20 years except, maybe, early generation Atom (I hear).
6 Likes
Yes. And Itanium 
.
3 Likes
P6 (Pentium Pro) and onward is the word I’m getting. That means that my Vectra P6-200 running OS/2 is potentially vulnerable.
Peter Bright at Ars has been covering this quite well.
8 Likes
I wonder if this is connected to the Intel CEO selling a large amount of his stocks, which was reported a month ago?
8 Likes
I’m in the same boat, but I dual boot Linux on my Macbook (late 2007). I’m just waiting for the Linux update for that. On the other two computers, they are running Windows 7 so we are at the mercy of Microsucks. Maybe they’ll offer an update to Windows 10?
3 Likes
I think the answer to the first link is that Intel thought they could do no wrong. They were on top of the hardware world and got arrogant and figured they could get a pass on anything. Now we find out that almost anything that uses Intel chips or is based on those is boned.
Too bad it won’t hurt them.
5 Likes
Windows patches are available. Just verify any AV you use can work with them.
The patch won’t load on machines machines with AV that has not added a specific registry key.
5 Likes
What’s rough is that the only way to be sure your CPU isn’t susceptible to these exploits is to try it yourself, which is going to put a lot of shady tools out there.’
Maybe this is the perfect time for people to start an open-source workalike CPU initiative.
2 Likes
I believe this day in Enterprise IT warrants an
Oy, Vey!
While not wanting to proclaim the Sky is Falling, we still want to ensure our stuff ain’t broke and we mitigate risks where we can.
Between the current InfoSec du jour, some poorly communicated HR requirements, A lapsed certificate of some import and distinction, and then the usual Hell …I will be curling up with a SysAdmins best friend tonight: Bourbon.
6 Likes
No-ones asked this here yet that I can see so I’ve got to ask:
How long have our security services been using this?
3 Likes
My Chromebook (ARM cpu, not an A75) was patched in December. The A53 and A57 can be mitigated without trouble according to ARM.
So for web pages and video files, that’s a cheap answer.
To a certain extent it’s an OS level attack. Is the fundamental flaw that lookahead with execution (speculative execution) has been allowed to read forbidden memory and effectively bypass memory management?
ARM and AMD seem only to be liable to the more difficult attack except for the A75, which means that processors up to the 810, the 65x series and the Kirin 970 should be reasonably OK.
I’ve definitely bought my last ever computer with an Intel CPU though, and that was 6 years ago. I suspect that Qualcomm will be fixing the 845 pronto, and that will find its way onto laptops and desktops. Intel CPUs are now so bloated that I seriously doubt their ability to fix them properly in a short timescale, which might possibly explain the CEO’s share dump. Prices haven’t fallen yet, but in the long term AMD and ARM licensees may benefit.
5 Likes
Probably not. I suspect that Google’s engineers are better than either the NSA or GCHQ. They are also more motivated. If Google’s secrets leak, they don’t have a business. If the NSA or GCHQ’s secrets leak, they ask for more funding. Perverse incentive.
I have a son in law who works for Google, I know how they pay compared to the security services, and that explains my level of confidence.
7 Likes
Pay =/= talent.
If you get caught doing particularly nefarious black hat shenanigans, it’s not Google that offers you a decently paid job instead of the lifetime in prison that you were expecting. Well, they’re not the first people to offer, anyway…
6 Likes