Archive for Intel

Intel Tries And Then Backtracks On Restricting Benchmarking Of CPU Fixes

Posted in Commentary with tags on August 24, 2018 by itnerd

Since the Spectre and Meltdown CPU flaws first became public, Intel has been on the case to fix them. The thing is their fixes have the effect of slowing down the CPU’s ability to process data, and various people and media outlets have documented that. And it appears that Intel is none too pleased about that because thanks to a reader who tipped me off about this, they tried to restrict benchmarking of their fixes:

Intel is updating its loadable CPU microcode to handle various side-channel and timing attacks. There is a new license term applied to the new microcode:

You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; (ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change or create derivative works from the Software except and only to the extent as specifically required by mandatory applicable laws or any applicable third party license terms accompanying the Software; (iii) use or make the Software available for the use or benefit of third parties; or (iv) use the Software on Your products other than those that include the Intel hardware product(s), platform(s), or software identified in the Software; or (v) publish or provide any Software benchmark or comparison test results.

Since the microcode is running for every instruction, this seems to be a use restriction on the entire processor. Don’t run your benchmarker at all, not even on your own software, if you “provide” or publish the results.

I say tried because once this became public, there was an epic backlash as one would expect. That forced the CPU giant to go into damage control mode via Imad Sousou, the GM of Intel’s Open-Source Technology Center:

Well at least they listened and took action quickly. But one has to wonder why they even tried to do this in the first place as you would have to imagine that this was going to be the outcome 100 times out of 100. I guess that the fact that their CPUs take a performance hit to some degree or another because of these fixes is a really touchy subject over at Intel.


BREAKING: Intel CEO Resigns Over Relationship With Employee That Was “Consensual”

Posted in Commentary with tags on June 21, 2018 by itnerd

It appears that Intel is having a #MeToo moment.

Intel has put out a press release in the last hour saying that CEO Brian Krzanich has resigned after it came to light that he had a “consensual” relationship with an employee:

Intel was recently informed that Mr. Krzanich had a past consensual relationship with an Intel employee. An ongoing investigation by internal and external counsel has confirmed a violation of Intel’s non-fraternization policy, which applies to all managers. Given the expectation that all employees will respect Intel’s values and adhere to the company’s code of conduct, the board has accepted Mr. Krzanich’s resignation.

Now taking over on an interim basis as CEO is Robert Swan who was the CFO.

The first thing that I thought of when this came to my attention was the Mark Hurd gong show that went down while he was at HP. Though he did eventually resurface at Oracle. I guess a similar reinvention is what Krzanich is hoping for. But in the here and now, Krzanich is dealing with optics that don’t look too good.

Oh Noes! Even More Spectre Like CPU Flaws Found

Posted in Commentary with tags , on May 22, 2018 by itnerd

Google and Microsoft are out with details on yet another Spectre like CPU flaw which is documented in CVE-2018-3639. It is similar to the other Spectre flaws as it stems from speculative execution. This is a technique that modern chips use to optimize their performance by making assumptions about upcoming operations. In this case if the CPU begins a process that doesn’t take place, then it should unwind and delete all of the related data. But sometimes it doesn’t do that which means that someone could get access to that data and here we are talking about it.

Intel has said that the fixes it has already deployed for other variants of this flaw should make this more difficult to exploit. And new fixes are on the way. But they may impact performance. Thus they will be off by default because the risk level is low. But the risk exists so you should expect to see some action on this front in the near future.

Security Researchers Find 8 New ‘Spectre-Class’ Flaws In Intel CPUs…. Possibly ARM Too

Posted in Commentary with tags on May 7, 2018 by itnerd

Here we go again.

Sometime today, we’re going to get details on eight… Yes eight CPU flaws that are being dubbed “Spectre NG” or Spectre Next Generation. First, here’s the details from Reuters:

Researchers have found eight new flaws in computer central processing units that resemble the Meltdown and Spectre bugs revealed in January, a German computing magazine reported on Thursday. The magazine, called c’t, said it was aware of Intel Corp’s plans to patch the flaws, adding that some chips designed by ARM Holdings, a unit of Japan’s Softbank, might be affected, while work was continuing to establish whether Advanced Micro Devices chips were vulnerable… The magazine said Google Project Zero, one of the original collective that exposed Meltdown and Spectre in January, had found one of the flaws and that a 90-day embargo on going public with its findings would end on May 7…

“Considering what we have seen with Meltdown and Spectre, we should expect a long and painful cycle of updates, possibly even performance or stability issues,” said Yuriy Bulygin, chief executive officer of hardware security firm Eclypsium and a former Intel security researcher. “Hopefully, Meltdown and Spectre led to improvements to the complicated process of patching hardware.”

The reason why

Neowin also reports that Intel is expected to release microcode updates in two waves; one in May, and the other in August. But it also says this:

That being said, it appears that Google’s Project Zero may have discovered at least one of the eight vulnerabilities a while ago, and their stringent 90-day non-disclosure window may be very close to lapsing, perhaps as early as May 7, if sources are to be believed. After that, their policy is to publicly release information on the vulnerability, regardless of whether a fix is out.

Which means that this is about to get very real very quickly. I’ll be watching this story and I’ll be posting updates as new info comes to light.

Intel Punts Out List Of CPUs That Will NOT Get Fixes For Meltdown & Spectre

Posted in Commentary with tags on April 4, 2018 by itnerd

Intel released an update to the Meltdown and Spectre mitigation guide which is a PDF document that Intel published in February. The file contains information on the status of microcode updates for each of Intel’s CPU models released in the past years. And in this update is the news that the following CPU models will not get updates to mitigate the Meltdown and Spectre CPU flaws:

  • Bloomfield
  • Bloomfield Xeon
  • Clarksfield
  • Gulftown
  • Harpertown Xeon C0
  • Harpertown Xeon E0
  • Jasper Forest
  • Penryn/QC
  • SoFIA 3GR
  • Wolfdale C0
  • Wolfdale M0
  • Wolfdale E0
  • Wolfdale R0
  • Wolfdale Xeon C0
  • Wolfdale Xeon E0
  • Yorkfield
  • Yorkfield Xeon

Using my friend Google, most of these CPUs are a decade or more old. Therefore it’s understandable that they won’t be getting updates to fix these flaws. However if you’re still using one of these CPUs, consider this to be your incentive to move onto something much newer.

Oh Noes! New Intel CPU Flaw Discovered! Is It A Big Deal?

Posted in Commentary with tags on March 28, 2018 by itnerd

Here we go again.

Researchers have found a new CPU flaw that is similar to the Spectre CPU flaw. This one is called BranchScope and was found by researchers from the College of William and Mary, Carnegie Mellon, the University of California Riverside and Binghamton University.  A report on the flaw indicates that the attack uses some of the same predictive execution vulnerabilities as Spectre, exploiting the branch predictors of chips by using them to inadvertently leak sensitive information.

The folks at Ars Technica got this comment from Intel on this new CPU flaw:

We have been working with these researchers and we have determined the method they describe is similar to previously known side channel exploits. We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper. We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers.

In other words, nothing to see here, move along. We’ll find out if there’s nothing to see here as now that this is public, hackers will be looking at this to see if they can utilize it to pwn computes all over hell’s half acre.

Intel Didn’t Tell Feds About Spectre & Meltdown Flaws Until They Leaked

Posted in Commentary with tags on February 22, 2018 by itnerd

The PR disaster that is the Spectre and Meltdown fiasco that Intel finds itself in just got worse. Intel apparently failed to inform U.S. cyber security officials about the Meltdown and Spectre chip flaws ahead of when they leaked to the public even though Intel had advanced knowledge of the vulnerabilities, several tech companies said in letters sent out to lawmakers on Thursday. Here’s the details from Reuters:

Intel did not tell the United States Computer Emergency Readiness Team, better known as US-CERT, about Meltdown and Spectre until Jan. 3, after reports on them in online technology site The Register had begun to circulate.

US-CERT, which issues warnings about cyber security problems to the public and private sector, did not respond to a request for comment.

Oh boy. That’s not going to end well for Intel. With everything that has gone on with the failed remedies, possible insider trading and the like, the optics of this suck. You could make an argument that if there was no active threat, there was no need to tell the feds about this. But good luck arguing that now. And you can bet that lawyers who are suing Intel are going to use this to their advantage.