Spectre Next Generation is Coming Whether we Like it or Not

DooKey

[H]F Junkie
Joined
Apr 25, 2001
Messages
12,443
According to the folks over at c't spectre isn't over it's just moving on to the next generation. They say Spectre NG has been confirmed as eight flaws in Intel CPU's that haven't been revealed yet and that some ARM and possibly AMD vulnerabilities are possible as well. So watch out people because this ride is just getting started and you can't get off yet. Thanks cageymaru.

So far we only have concrete information on Intel's processors and their plans for patches. However, there is initial evidence that at least some ARM CPUs are also vulnerable. Further research is already underway on whether the closely related AMD processor architecture is also susceptible to the individual Spectre-NG gaps, and to what extent.
 

ProfessorUtopia

Limp Gawd
Joined
Aug 12, 2005
Messages
137
I am just going to take my chances, with my personal computer(s).

Getting to be a pain dealing with this.

Same. Without credible, confirmed, in-the-wild threats, I'm going to hold off on throwing away 5 years of CPU performance gains, speculatively patching with speculative fixes for speculative execution over speculative vulnerabilities.
 

Stinkfist

[H]ard|Gawd
Joined
Mar 9, 2000
Messages
1,508
It is nice they are catching the vulnerabilities before they are made public though. Sure, I'm going to take my chances too, but the fact that we haven't seen these in the wild BEFORE they became known problems is a good thing.
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
Not surprising. Once this attack vector was published, everyone wants to get in on the action. Likely to be many more variations on the theme. CPUs, chip sets, USB controller sets, etc are complex gizmos often built in a hurry to get to market with 'New and Shiny' before the other guy. Seems a lot of companies are still living in "The Internet is a Friendly Place to Play" world and place security testing well out of the top 10 things to worry about.
 

SixFootDuo

Supreme [H]ardness
Joined
Oct 5, 2004
Messages
5,825
You guys can image a brand new install of your OS and deploy it everyday or once or twice a week in a matter of a few minutes. It's not that big of a deal. It's not hard to keep people and shit off your system
 

viper1152012

[H]ard|Gawd
Joined
Jun 20, 2012
Messages
1,025
....... I DO have a system image backed up once a month..... And yes I have a dual bios.... You know what, bring it on
 

theplaidfad

Lurker
Joined
Apr 24, 2008
Messages
1,179
So is branch prediction just going to have to stop being a thing? I, for one, do not welcome our new 1998 performance level CPU overlords.
 

Sycraft

Supreme [H]ardness
Joined
Nov 9, 2006
Messages
5,309
So is branch prediction just going to have to stop being a thing? I, for one, do not welcome our new 1998 performance level CPU overlords.

No, this is just something that we'll need to deal with and mitigate. There are risks to computer systems, just like physical systems, and you can't eliminate risk. You take steps to minimize it, but it is still there. This is just a new class of covert data channel attacks. Those have been around for a long time, and will always be around. You can't eliminate them all. To give you two examples take DNS and ICMP. Both can be used to covertly exfiltrate (or infiltrate in the right circumstances) data from a system. ICMP is designed for control messages and pings and such, but there is a payload in it and malicious programs can and do make use of that payload to transfer data that bypasses firewall rules (because you have to permit at least some ICMP for IP to work properly).

So what will we do about these? When feasible, we'll patch CPU microcode to stop them there, if not, we'll patch OS kernels to stop them there, if not we'll need to change how applications work to stop them there, and if not we'll have to work on detection for malware using them. Same shit as other security issues. It won't go away, and we won't just say "Well, that's it, can't fix this 100%, let's pack it up and stop using the technology!" No we'll just do our best to mitigate the risk, and to detect exploitation when it happens.
 

Dk975

Gawd
Joined
Sep 24, 2005
Messages
865
I wonder if the future Intel chips that are coming out with former Spectre and Meltdown problems fixed will also have these problems fixed?
These problems are getting out of hand. Wasn't China producing their own CPUs? Maybe they will be smarter and think about security up front.
 

Skull_Angel

[H]ard|Gawd
Joined
May 31, 2010
Messages
1,664
Guy: Hey guys, I found that secret backdoor X agency made you put into the system.

Company: What? You're crazy, no you didn't. ::whispers to boss:: Hey boss we've got a problem... <Boss> What? Let me contact the PR guys and let them handle the announcements...

Guy: Still there? I can prove it. Watch. ::customers x, y, z, ect. complain about being locked out of their systems::

Company: Hey boss!! <Boss> Shit! PR guys!? <PR guys> We're on it!! <Boss> Tech guys, patch that backdoor and put it somewhere else... ::grumbles:: <Tech guys> On it.

Guy: Um guys... I found that new backdoor...

Company: Danmin! Boss!! <Boss> Again!? L$HD#*HG*$SYI!!
 

MrDeaf

Limp Gawd
Joined
Jun 9, 2017
Messages
428
INB4 another unheard of IT security company publishes AMD CPU vulnerabilities that require an already compromised system, gives only 24hrs of notice to AMD and also claims that "AMD can't fix it for several months".
 

Advil

2[H]4U
Joined
Jul 16, 2004
Messages
2,104
I realize I'm just being idealistic here, but at what point does Intel actually owe us a fixed processor?

This is moving way beyond "stuff happens and we released a patch which makes your machine slightly slower but act of god level unforseeable issues happen sometimes, move along."

Now it's turning into a case of the exploit being the never-completely-fixable gift that just keeps on giving and taking performance with every new patch.

Yep, my CPU still works. Yep, it's overall quite fast. But by the time this next round of patches goes in it's pretty safe to say I could have built that overclocked Ryzen 1700 and mobo for about $250 less than this 8700k and matched the performance.

And almost a sure thing that it will no longer be a notable step up from last gen hardware anymore.

The entire decision to do this build was based on the insane per core performance numbers. I guess all we can do is wait for the numbers and see what the performance graphs look like.
 

daglesj

Supreme [H]ardness
Joined
May 7, 2005
Messages
5,703
Another 'Apocalyptic Bug of the Week' that actually doesn't really translate to anything major in the real world.

If Web News etc. wasn't so reliant on sensationalism to generate clicks we would have a more reasoned and balanced view of the world.

How may times in the past 12 months has Android been "cracked wide open" etc. etc. etc.

We're still here.
 

Brahmzy

Supreme [H]ardness
Joined
Sep 9, 2004
Messages
4,958
Maybe not major for you. A nightmare for Enterprise SysAds / Infrastructure folk. Major real-world impact for us.
 

sirmonkey1985

[H]ard|DCer of the Month - July 2010
Joined
Sep 13, 2008
Messages
22,278
Not surprising. Once this attack vector was published, everyone wants to get in on the action. Likely to be many more variations on the theme. CPUs, chip sets, USB controller sets, etc are complex gizmos often built in a hurry to get to market with 'New and Shiny' before the other guy. Seems a lot of companies are still living in "The Internet is a Friendly Place to Play" world and place security testing well out of the top 10 things to worry about.

Sometimes it's just shit you never think of. The people that find these flaws spend years trying to break shit til they get the results they need.. i mean think about it, this flaw has existed for 10 years and they are just now finding it.
 
Top