Synology does have some vulnerable models and does not appear to have released any fixes yet. https://www.synology.com/en-global/support/security/Synology_SA_18_01
However, I don't think this is a big concern for appliances like that. Effective exploitation of meltdown or spectre requires running code on the target system. -----Original Message----- From: Hardware [mailto:[email protected]] On Behalf Of Winterlight Sent: Friday, July 6, 2018 11:41 PM To: [email protected] Subject: Re: [H] Should I rebuild my machine now or wait until the next gen of CPUs? I was planning on getting a Synology NAS....should I be concerned about security? I assumed that they would have this problem locked down on their new hardware...but I am not sure. At 07:01 PM 7/6/2018, you wrote: >Thus far, AMD's story has been more compelling than Intel's. AMD is >immune to meltdown, and is broadly speaking less vulnerable to the >Sceptre variants. However, it would be naïve to believe that AMD is in >the clear, as additional vulnerabilities are slowly coming out in this >new and novel class of attack vector. > >My thinking is that while both Linux and Windows are currently only >doing the PTI/KernelVA shadowing for Intel, it will eventually be >mandatory for all architectures--for defense in depth if nothing else. > >-----Original Message----- >From: Hardware >[mailto:[email protected]] On Behalf Of Brian >Weeden >Sent: Friday, July 6, 2018 3:42 PM >To: hardware <[email protected]> >Subject: Re: [H] Should I rebuild my machine now or wait until the next >gen of CPUs? > >Winter, that is exactly the situation I'm in and the question I'm >asking. I have not applied any patches to my system because a) they're >only partially effective and b) they have a performance hit. > >So I'm trying to see if it makes sense to upgrade to a new machine now, >or whether I should stick it out for another several months >(year?) to see if Intel or AMD rolls out something that actually fixes >the underlying problems. > > > >--------- >Brian > > >On Fri, Jul 6, 2018 at 4:38 PM, Winterlight ><[email protected]> >wrote: > > > This has been an interesting thread. So Greg the Ivy Bridge patch > > that you posted will be delivered by Windows 10 ...eventually... > > maybe? I am still running a P9X79 WS with my six core Ivy Bridge with Win10. > > InSpectre tells me Spectre is not protected and performance is slower. > > Just how much at risk am I. I figure I will never see a BIOS update.. > > ... or will I. The whole thing is a big mess, and I would imagine > > there are all sorts of class action law > suites heading toward CPU and motherboard manufactures. > > > > > > > > At 10:08 AM 7/6/2018, you wrote: > > > >> The chipset vulnerabilities were ugly, yes, but for their part AMD > >> did ensure they were resolved quickly despite the research firm not > >> following industry best-practices regarding vulnerability disclosure. > >> My bigger beef is that AMD would use ASSmedia (not a typo) at all, > >> given their fairly well-established track > record of being roughly equivalent to dog excrement. > >> I don't subscribe to the AMD Fanboy narrative that it was an Intel > >> hit-job, though. > >> > >> Intel's roadmap is a real mess right now. A sudden and surprisingly > >> competitive AMD portfolio coupled with severe yield and performance > >> issues with their ambitious 10nm process technology has painted > >> them into a corner with no good near-term options. So, they're > >> going to push their 14nm++ tech for another iteration, adding > >> cores, to (try > >> to) re-establish clear superiority . Luckily > for them, their 14++ is actually really good. > >> > >> Greg > >> > >> -----Original Message----- > >> From: Hardware [mailto:[email protected]] On > >> Behalf Of Brian Weeden > >> Sent: Friday, July 6, 2018 9:03 AM > >> To: hardware <[email protected]> > >> Subject: Re: [H] Should I rebuild my machine now or wait until the > >> next gen of CPUs? > >> > >> Thanks, Greg. That pretty much aligns with my thought process on > >> this, so I guess it's good at least one other person is coming to > >> the same conclusions I am :) > >> > >> Didn't know about the Ivy Bridge patches - will look into that more. > >> But one of the reasons I haven't patched at all is that all the > >> mitigations for older chips like mine have had significant > >> performance penalties. And at this point that's a bigger issue for > >> me than the security, as I'm not really in that big of a threat environment. > >> > >> But I plan to use whatever I buy for the next several years and it > >> would be good to get something that's not going to have major > >> structural vulnerabilities that will be problems that entire time. > >> > >> My major hangup with AMD is not the performance but rather the > >> massive vulnerabilities found in their Ryzen chipset, all because > >> they did a very poor job providing oversight of the company they > >> outsourced it to. That doesn't speak well of > their commitment to security in my mind. > >> > >> I had heard that Intel's 2018 lineup was delayed until next year as > >> they try and fix all this stuff, but maybe > that was just for their mobile chips? > >> > >> > >> > >> > >> --------- > >> Brian > >> > >> > >> On Fri, Jul 6, 2018 at 2:20 AM, Greg Sevart <[email protected]> wrote: > >> > >> > Actually, your Ivy Bridge CPU had new microcode revision with > >> > additional Spectre defenses released just this past Monday. While > >> > it's a long-shot for your motherboard manufacturer to release a > >> > new FW update, it *is* likely to appear in an OS patch. CPU > >> > microcode can and is loaded via multiple mechanisms, including > >> > during OS early boot. On Windows, your options are a bit more > >> > limited as you must wait for Microsoft to update their microcode patch. > >> > > >> > Microsoft's microcode patch information, which is ONLY available > >> > for Windows 10 1709 (or later?) can be found here: > >> > https://support.microsoft.com/en-us/help/4090007/intel-microcode- > >> > up > >> > dat > >> > es > >> > > >> > It's something of a mess. As you may see, Ivy Bridge desktop CPUs > >> > are not listed explicitly, but I've heard reports of the patch > >> > taking effect on them anyway. Use a tool such as InSpectre or > >> > Get-SpeculationControlSettings in the PowerShell Gallery to > >> > verify your > >> status post-update. > >> > > >> > > >> > With regard to an upgrade...hard to say. On the desktop side, > >> > with Ryzen, AMD has finally released a product that is competitive. > >> > Broadly speaking (i.e., on overall average), it is not clearly > >> > superior despite higher core counts, but very competitive and > >> > hence a viable option to Intel's Coffee Lake SKUs. If you're > >> > interested in HEDT, that's a bit harder to answer...for highly > >> > threaded workloads, the > >> > Threadripper/X399 platform wins on both performance and price > >> > (despite the dumb name and attempt to usurp Intel's existing > >> > platform naming scheme), but if single-threaded performance is > >> > more important, > >> Skylake-X/X299 is still the better bet. > >> > > >> > CPUs with integrated defenses to the various Spectre variants are > >> > expected near the end of the year. As it stands now, performance > >> > wise, Intel's silicon is more negatively impacted via existing > >> > mitigations, but not enough to make a meaningful difference in > >> > *most* client workloads for current silicon. Older CPUs (such as > >> > your Ivy) that do not support INVPCID are > especially hurt by Meltdown's mitigation. > >> > Fundamentally, I don't think either one is substantially more > >> > secure if > >> your mitigations are current. > >> > While we've already seen some since the initial 3 CVEs were > >> > announced, it's widely expected that more vulnerabilities will be > >> > discovered in the coming months and years as this new and novel > >> > class of attack > >> vector is researched. > >> > > >> > Major items rumored to be coming soon-ish: > >> > Intel desktop: Widely expected to have a new 8-core mainstream > >> > chip out sometime later this year. > >> > Intel HEDT: Cascade Lake-X expected in Q4, up to 28C, though the > >> > series may span sockets. Maybe a 22C interim offering? > >> > AMD Desktop: Zen+ 2000-series just released offering minor > >> > improvements, Zen 2 expected next year AMD HEDT: Zen+ refresh of > >> > Threadripper expected soon, up to 32C. > >> > > >> > > >> > My personal take: I'd buy Intel for intensive, lightly-threaded > >> > workloads, and AMD for intensive, heavily-threaded workloads. > >> > Anything not intensive isn't going to be different enough to > >> > matter, so go with whatever floats your boat and/or wallet. > >> > > >> > Greg > >> > > >> > -----Original Message----- > >> > From: Hardware [mailto:[email protected]] > >> > On Behalf Of Brian Weeden > >> > Sent: Thursday, July 5, 2018 9:45 PM > >> > To: hwg <[email protected]> > >> > Subject: [H] Should I rebuild my machine now or wait until the > >> > next gen of CPUs? > >> > > >> > Currently running a core i5-3750K with 32GB of RAM on my main > >> > machine, which I use for both work and gaming. > >> > > >> > Been looking to replace it for several months now, but have held > >> > off in part because of all the vulnerabilities that keep turning > >> > up in modern CPUs (Meltdown, Spectre, and all their variants). > >> > The thing is, my existing CPU is old enough that it doesn't > >> > support any of the mitigations, so I'm actually less secure now > >> > than if I bought a new CPU that at least had mitigations against > >> > the vulns (even if the new CPUs that actually fix them are 6-12 months away). > >> > > >> > So first question is, is the time right to go do this now? > >> > > >> > Second question is, Intel or AMD? Is one better off than the > >> > other from a security standpoint that's worth taking into consideration? > >> > > >> > > >> > --------- > >> > Brian > >> > > >> > > >> > > >> > > > >
