The CTS Labs vulnerabilities were poorly disclosed and over-hyped, but there *were* legitimate issues. Reasonable people can disagree about the criticality, but they were not fake.
Plus, ASSmedia sucks, and it would not unreasonable to question AMD's decision making if they were to use them to install lightbulbs, let alone incorporate their IP into their product line. -----Original Message----- From: Hardware [mailto:[email protected]] On Behalf Of James Boswell Sent: Friday, July 6, 2018 8:06 PM To: [email protected] Subject: Re: [H] Should I rebuild my machine now or wait until the next gen ofCPUs? *puzzled expression* Are you referring to the CTS Labs hatchet job? Or has there actually been a legit security issue with the chipsets? -JB From: Brian Weeden Sent: 07 July 2018 02:04 To: hardware Subject: Re: [H] Should I rebuild my machine now or wait until the next gen ofCPUs? Agree with all of that, although as I mentioned earlier AMD's utter failure in screening their motherboard chipset vendor also gives me pause. Hard to tell if that's a one-off mistake, or a sign that they don't really care that much about security. --------- Brian On Fri, Jul 6, 2018 at 9:01 PM, Greg Sevart <[email protected]> wrote: > Thus far, AMD's story has been more compelling than Intel's. AMD is > immune to meltdown, and is broadly speaking less vulnerable to the > Sceptre variants. However, it would be naïve to believe that AMD is in > the clear, as additional vulnerabilities are slowly coming out in this > new and novel class of attack vector. > > My thinking is that while both Linux and Windows are currently only > doing the PTI/KernelVA shadowing for Intel, it will eventually be > mandatory for all architectures--for defense in depth if nothing else. > > -----Original Message----- > From: Hardware [mailto:[email protected]] On > Behalf Of Brian Weeden > Sent: Friday, July 6, 2018 3:42 PM > To: hardware <[email protected]> > Subject: Re: [H] Should I rebuild my machine now or wait until the > next gen of CPUs? > > Winter, that is exactly the situation I'm in and the question I'm asking. > I have not applied any patches to my system because a) they're only > partially effective and b) they have a performance hit. > > So I'm trying to see if it makes sense to upgrade to a new machine > now, or whether I should stick it out for another several months > (year?) to see if Intel or AMD rolls out something that actually fixes > the underlying problems. > > > > --------- > Brian > > > On Fri, Jul 6, 2018 at 4:38 PM, Winterlight > <[email protected]> > wrote: > > > This has been an interesting thread. So Greg the Ivy Bridge patch > > that you posted will be delivered by Windows 10 ...eventually... > > maybe? I am still running a P9X79 WS with my six core Ivy Bridge with Win10. > > InSpectre tells me Spectre is not protected and performance is slower. > > Just how much at risk am I. I figure I will never see a BIOS update.. > > ... or will I. The whole thing is a big mess, and I would imagine > > there are all sorts of class action law suites heading toward CPU > > and > motherboard manufactures. > > > > > > > > At 10:08 AM 7/6/2018, you wrote: > > > >> The chipset vulnerabilities were ugly, yes, but for their part AMD > >> did ensure they were resolved quickly despite the research firm not > >> following industry best-practices regarding vulnerability disclosure. > >> My bigger beef is that AMD would use ASSmedia (not a typo) at all, > >> given their fairly well-established track record of being roughly > equivalent to dog excrement. > >> I don't subscribe to the AMD Fanboy narrative that it was an Intel > >> hit-job, though. > >> > >> Intel's roadmap is a real mess right now. A sudden and surprisingly > >> competitive AMD portfolio coupled with severe yield and performance > >> issues with their ambitious 10nm process technology has painted > >> them into a corner with no good near-term options. So, they're > >> going to push their 14nm++ tech for another iteration, adding > >> cores, to (try > >> to) re-establish clear superiority . Luckily for them, their 14++ > >> is > actually really good. > >> > >> Greg > >> > >> -----Original Message----- > >> From: Hardware [mailto:[email protected]] On > >> Behalf Of Brian Weeden > >> Sent: Friday, July 6, 2018 9:03 AM > >> To: hardware <[email protected]> > >> Subject: Re: [H] Should I rebuild my machine now or wait until the > >> next gen of CPUs? > >> > >> Thanks, Greg. That pretty much aligns with my thought process on > >> this, so I guess it's good at least one other person is coming to > >> the same conclusions I am :) > >> > >> Didn't know about the Ivy Bridge patches - will look into that more. > >> But one of the reasons I haven't patched at all is that all the > >> mitigations for older chips like mine have had significant > >> performance penalties. And at this point that's a bigger issue for > >> me than the security, as I'm not really in that big of a threat > environment. > >> > >> But I plan to use whatever I buy for the next several years and it > >> would be good to get something that's not going to have major > >> structural vulnerabilities that will be problems that entire time. > >> > >> My major hangup with AMD is not the performance but rather the > >> massive vulnerabilities found in their Ryzen chipset, all because > >> they did a very poor job providing oversight of the company they > >> outsourced it to. That doesn't speak well of their commitment to > security in my mind. > >> > >> I had heard that Intel's 2018 lineup was delayed until next year as > >> they try and fix all this stuff, but maybe that was just for their > mobile chips? > >> > >> > >> > >> > >> --------- > >> Brian > >> > >> > >> On Fri, Jul 6, 2018 at 2:20 AM, Greg Sevart <[email protected]> wrote: > >> > >> > Actually, your Ivy Bridge CPU had new microcode revision with > >> > additional Spectre defenses released just this past Monday. While > >> > it's a long-shot for your motherboard manufacturer to release a > >> > new FW update, it *is* likely to appear in an OS patch. CPU > >> > microcode can and is loaded via multiple mechanisms, including > >> > during OS early boot. On Windows, your options are a bit more > >> > limited as you must wait for Microsoft to update their microcode patch. > >> > > >> > Microsoft's microcode patch information, which is ONLY available > >> > for Windows 10 1709 (or later?) can be found here: > >> > https://support.microsoft.com/en-us/help/4090007/intel-microcode- > >> > up > >> > dat > >> > es > >> > > >> > It's something of a mess. As you may see, Ivy Bridge desktop CPUs > >> > are not listed explicitly, but I've heard reports of the patch > >> > taking effect on them anyway. Use a tool such as InSpectre or > >> > Get-SpeculationControlSettings in the PowerShell Gallery to > >> > verify your > >> status post-update. > >> > > >> > > >> > With regard to an upgrade...hard to say. On the desktop side, > >> > with Ryzen, AMD has finally released a product that is competitive. > >> > Broadly speaking (i.e., on overall average), it is not clearly > >> > superior despite higher core counts, but very competitive and > >> > hence a viable option to Intel's Coffee Lake SKUs. If you're > >> > interested in HEDT, that's a bit harder to answer...for highly > >> > threaded workloads, the > >> > Threadripper/X399 platform wins on both performance and price > >> > (despite the dumb name and attempt to usurp Intel's existing > >> > platform naming scheme), but if single-threaded performance is > >> > more important, > >> Skylake-X/X299 is still the better bet. > >> > > >> > CPUs with integrated defenses to the various Spectre variants are > >> > expected near the end of the year. As it stands now, performance > >> > wise, Intel's silicon is more negatively impacted via existing > >> > mitigations, but not enough to make a meaningful difference in > >> > *most* client workloads for current silicon. Older CPUs (such as > >> > your Ivy) that do not support INVPCID are especially hurt by > Meltdown's mitigation. > >> > Fundamentally, I don't think either one is substantially more > >> > secure if > >> your mitigations are current. > >> > While we've already seen some since the initial 3 CVEs were > >> > announced, it's widely expected that more vulnerabilities will be > >> > discovered in the coming months and years as this new and novel > >> > class of attack > >> vector is researched. > >> > > >> > Major items rumored to be coming soon-ish: > >> > Intel desktop: Widely expected to have a new 8-core mainstream > >> > chip out sometime later this year. > >> > Intel HEDT: Cascade Lake-X expected in Q4, up to 28C, though the > >> > series may span sockets. Maybe a 22C interim offering? > >> > AMD Desktop: Zen+ 2000-series just released offering minor > >> > improvements, Zen 2 expected next year AMD HEDT: Zen+ refresh of > >> > Threadripper expected soon, up to 32C. > >> > > >> > > >> > My personal take: I'd buy Intel for intensive, lightly-threaded > >> > workloads, and AMD for intensive, heavily-threaded workloads. > >> > Anything not intensive isn't going to be different enough to > >> > matter, so go with whatever floats your boat and/or wallet. > >> > > >> > Greg > >> > > >> > -----Original Message----- > >> > From: Hardware [mailto:[email protected]] > >> > On Behalf Of Brian Weeden > >> > Sent: Thursday, July 5, 2018 9:45 PM > >> > To: hwg <[email protected]> > >> > Subject: [H] Should I rebuild my machine now or wait until the > >> > next gen of CPUs? > >> > > >> > Currently running a core i5-3750K with 32GB of RAM on my main > >> > machine, which I use for both work and gaming. > >> > > >> > Been looking to replace it for several months now, but have held > >> > off in part because of all the vulnerabilities that keep turning > >> > up in modern CPUs (Meltdown, Spectre, and all their variants). > >> > The thing is, my existing CPU is old enough that it doesn't > >> > support any of the mitigations, so I'm actually less secure now > >> > than if I bought a new CPU that at least had mitigations against > >> > the vulns (even if the new CPUs that actually fix them are 6-12 months > >> > away). > >> > > >> > So first question is, is the time right to go do this now? > >> > > >> > Second question is, Intel or AMD? Is one better off than the > >> > other from a security standpoint that's worth taking into consideration? > >> > > >> > > >> > --------- > >> > Brian > >> > > >> > > >> > > >> > > > > > > >
