Intel, AMD, ARM--all chips found to pose huge security risk

For discussions about security.
Message
Author
User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#21 Post by 8Geee »

I saw on Bloomberg this afternoon AMD officially announced some of their CPU's were vunerable. The TV segment did not go into detail.

rhetoric: Whoever knew "Atom" would actualy live up to its name? /rhet

Regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#22 Post by prehistoric »

AMD has been vulnerable to some forms of Spectre from day one, so that is not news. AMD used a different implementation than Intel for the memory protection and caching exploited in Meltdown. This means that Intel exploits will not necessarily work on AMD chips, but it does not say there will not be AMD specific Meltdown exploits. There probably will be.

One interesting tidbit about these vulnerabilities is that they were discovered independently by four different individuals or groups. None of these, with the exception of Google, were what I would call the powerhouses of the microcomputer world. None of the security companies involved appear to be closely associated with national intelligence agencies like NSA, CIA, GCHQ, FSB or GRU. (It is easy to name some that are close.)

Google's Project Zero has previously caused intelligence agencies problems by disclosing vulnerabilities they were able to use. My inference from this is that neither the intelligence agencies nor the major suppliers of chips and software were interested in finding this. That makes me wonder if they already knew. Since these exploits do not leave malware code in the system or evidence in kernel logs it would be pure gold for an intelligence agency that wanted to exploit it without being detected.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#23 Post by prehistoric »

The New York Times has an opinion piece about IT security, or lack of accountability for same. The author has an obvious personal interest in the subject, but begins to make a valid point.

The question this article raises in my mind is: just how much are companies and governments currently spending for IT security neither they nor we, the users of these systems, are getting?

Isn't it time to approach the subject in a markedly different way?

ozsouth
Posts: 858
Joined: Fri 01 Jan 2010, 22:08
Location: S.E Australia

#24 Post by ozsouth »

Since my patching attempts failed & I can't see puppy updates coming soon, got a cheap tablet (Lenovo Tab 3 Essential 7"). Apparently Cortex-A7 chips tho slow, are immune to meltdown/spectre. After testing, not bad for AUD 96 - can even use low-res Foxtel (pay tv) app.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

And the beat goes on

#25 Post by prehistoric »

We have new evidence that supporting W7 was not really high on Microsoft's list of priorities. I'm having trouble tallying the number of problems introduced versus those eliminated.

My own take is that all these companies have managed to complicate matters to such an extent they cannot support any system that has been used long enough to be considered reliable and secure. Efforts to vacuum up as much information about user activities as possible have continued to advance. People stunned by revelations about information acquired via Facebook or Google, then sold and reused for purposes those users would never have agreed to, have simply not been paying attention. If you are using a service you aren't paying for, it should be axiomatic that you are the product they are selling.

This is not simply a rant about M$. I have an Android tablet that is unlikely to ever be updated from Android 4.4, and a 4th generation iPad which is only fairly secure running iOS 10.3.3.

New devices are mainly considered secure because they have not been tested as extensively, and thus show fewer known vulnerabilities. Some of those discovered have been hard to imagine. Mac OS High Sierra 10.13.1 was rolled out with a lapse that allowed administrator login with no password.

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#26 Post by belham2 »

Boy, Prehistoric, I sure hope this all doesn't give the world's hardware gang (Intel, AMD, Qualcomm, even Google & its chips, plus MSFT's hardware, etc) any ideas about a possible "new & improved" business model:

1. Release something

2. Hope that massive holes & bugs & problems are found less than a year or two down the road.

3. Release something new that supposedly fixes it all

4. Lather, rinse, repeat...... :?

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#27 Post by prehistoric »

@belham2,

At least the chips are things you can hold in your hand, and can be demonstrated to actually do something. Massive software is much harder to categorize in terms of how it behaves, thinking of it as a black box. When a new version comes out, how do you know if it addresses your problems better, or introduces new problems that benefit those selling?

There is a considerable business of selling things that are even less tangible. Considerthis movie about massive fraud currently happening in U.S. stock markets. Pay attention to how major auditing firms like Price-Waterhouse have dramatically failed to uncover this because they only checked the paperwork. (To be even-handed, I remind people that Ernst & Young totally failed to warn investors about the looming collapse of Lehman Brothers in 2008. They remain in business today, unlike Arthur Anderson, which lost credibility by failing to detect massive fraud by Enron in 2001. Quis custodiet ipsos custodes?)

Just how far can criminals get before various institutional checks prevent them from going further? Consider Operation Odessa. They may not even be the biggest crooks out there, though they certainly are colorful.

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#28 Post by 8Geee »

That Chinese fraud had inadvertantly popped-up its head in at least two ways that I'm aware of.

The first was reported by 60-Minutes 3-4 years ago about the huge condo-cities that have owners, yet are empty. Even the huge parking facilities.

The second was the Macau rob you blind gaming. No one cared how much was won or lost, but rather, who was losing, and how many employees/pertners/friends of the subject were involved. A case of Gang-economics and laundering.

Belham2... Ahh, yes, the addiction syndrome. "may I have another, sir?"

Regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

Post Reply