I agree with that. I have a DS1817+ and I’m not that concerned. An attacker would have to get their own code running on my Synology in order to exploit the vulns, and I don’t install new code on there all that often. It’s not like a desktop where you’re constantly downloading and opening/executing new files.
On Sat, Jul 7, 2018 at 10:08 AM Greg Sevart <[email protected]> wrote: > Synology does have some vulnerable models and does not appear to have > released any fixes yet. > https://www.synology.com/en-global/support/security/Synology_SA_18_01 > > However, I don't think this is a big concern for appliances like that. > Effective exploitation of meltdown or spectre requires running code on the > target system. > > -----Original Message----- > From: Hardware [mailto:[email protected]] On Behalf > Of Winterlight > Sent: Friday, July 6, 2018 11:41 PM > To: [email protected] > Subject: Re: [H] Should I rebuild my machine now or wait until the next gen > of CPUs? > > > I was planning on getting a Synology > NAS....should I be concerned about security? I assumed that they would have > this problem locked down on their new hardware...but I am not sure. > > At 07:01 PM 7/6/2018, you wrote: > >Thus far, AMD's story has been more compelling than Intel's. AMD is > >immune to meltdown, and is broadly speaking less vulnerable to the > >Sceptre variants. However, it would be naïve to believe that AMD is in > >the clear, as additional vulnerabilities are slowly coming out in this > >new and novel class of attack vector. > > > >My thinking is that while both Linux and Windows are currently only > >doing the PTI/KernelVA shadowing for Intel, it will eventually be > >mandatory for all architectures--for defense in depth if nothing else. > > > >-----Original Message----- > >From: Hardware > >[mailto:[email protected]] On Behalf Of Brian > >Weeden > >Sent: Friday, July 6, 2018 3:42 PM > >To: hardware <[email protected]> > >Subject: Re: [H] Should I rebuild my machine now or wait until the next > >gen of CPUs? > > > >Winter, that is exactly the situation I'm in and the question I'm > >asking. I have not applied any patches to my system because a) they're > >only partially effective and b) they have a performance hit. > > > >So I'm trying to see if it makes sense to upgrade to a new machine now, > >or whether I should stick it out for another several months > >(year?) to see if Intel or AMD rolls out something that actually fixes > >the underlying problems. > > > > > > > >--------- > >Brian > > > > > >On Fri, Jul 6, 2018 at 4:38 PM, Winterlight > ><[email protected]> > >wrote: > > > > > This has been an interesting thread. So Greg the Ivy Bridge patch > > > that you posted will be delivered by Windows 10 ...eventually... > > > maybe? I am still running a P9X79 WS with my six core Ivy Bridge with > Win10. > > > InSpectre tells me Spectre is not protected and performance is slower. > > > Just how much at risk am I. I figure I will never see a BIOS update.. > > > ... or will I. The whole thing is a big mess, and I would imagine > > > there are all sorts of class action law > > suites heading toward CPU and motherboard manufactures. > > > > > > > > > > > > At 10:08 AM 7/6/2018, you wrote: > > > > > >> The chipset vulnerabilities were ugly, yes, but for their part AMD > > >> did ensure they were resolved quickly despite the research firm not > > >> following industry best-practices regarding vulnerability disclosure. > > >> My bigger beef is that AMD would use ASSmedia (not a typo) at all, > > >> given their fairly well-established track > > record of being roughly equivalent to dog excrement. > > >> I don't subscribe to the AMD Fanboy narrative that it was an Intel > > >> hit-job, though. > > >> > > >> Intel's roadmap is a real mess right now. A sudden and surprisingly > > >> competitive AMD portfolio coupled with severe yield and performance > > >> issues with their ambitious 10nm process technology has painted > > >> them into a corner with no good near-term options. So, they're > > >> going to push their 14nm++ tech for another iteration, adding > > >> cores, to (try > > >> to) re-establish clear superiority . Luckily > > for them, their 14++ is actually really good. > > >> > > >> Greg > > >> > > >> -----Original Message----- > > >> From: Hardware [mailto:[email protected]] On > > >> Behalf Of Brian Weeden > > >> Sent: Friday, July 6, 2018 9:03 AM > > >> To: hardware <[email protected]> > > >> Subject: Re: [H] Should I rebuild my machine now or wait until the > > >> next gen of CPUs? > > >> > > >> Thanks, Greg. That pretty much aligns with my thought process on > > >> this, so I guess it's good at least one other person is coming to > > >> the same conclusions I am :) > > >> > > >> Didn't know about the Ivy Bridge patches - will look into that more. > > >> But one of the reasons I haven't patched at all is that all the > > >> mitigations for older chips like mine have had significant > > >> performance penalties. And at this point that's a bigger issue for > > >> me than the security, as I'm not really in that big of a threat > environment. > > >> > > >> But I plan to use whatever I buy for the next several years and it > > >> would be good to get something that's not going to have major > > >> structural vulnerabilities that will be problems that entire time. > > >> > > >> My major hangup with AMD is not the performance but rather the > > >> massive vulnerabilities found in their Ryzen chipset, all because > > >> they did a very poor job providing oversight of the company they > > >> outsourced it to. That doesn't speak well of > > their commitment to security in my mind. > > >> > > >> I had heard that Intel's 2018 lineup was delayed until next year as > > >> they try and fix all this stuff, but maybe > > that was just for their mobile chips? > > >> > > >> > > >> > > >> > > >> --------- > > >> Brian > > >> > > >> > > >> On Fri, Jul 6, 2018 at 2:20 AM, Greg Sevart <[email protected]> wrote: > > >> > > >> > Actually, your Ivy Bridge CPU had new microcode revision with > > >> > additional Spectre defenses released just this past Monday. While > > >> > it's a long-shot for your motherboard manufacturer to release a > > >> > new FW update, it *is* likely to appear in an OS patch. CPU > > >> > microcode can and is loaded via multiple mechanisms, including > > >> > during OS early boot. On Windows, your options are a bit more > > >> > limited as you must wait for Microsoft to update their microcode > patch. > > >> > > > >> > Microsoft's microcode patch information, which is ONLY available > > >> > for Windows 10 1709 (or later?) can be found here: > > >> > https://support.microsoft.com/en-us/help/4090007/intel-microcode- > > >> > up > > >> > dat > > >> > es > > >> > > > >> > It's something of a mess. As you may see, Ivy Bridge desktop CPUs > > >> > are not listed explicitly, but I've heard reports of the patch > > >> > taking effect on them anyway. Use a tool such as InSpectre or > > >> > Get-SpeculationControlSettings in the PowerShell Gallery to > > >> > verify your > > >> status post-update. > > >> > > > >> > > > >> > With regard to an upgrade...hard to say. On the desktop side, > > >> > with Ryzen, AMD has finally released a product that is competitive. > > >> > Broadly speaking (i.e., on overall average), it is not clearly > > >> > superior despite higher core counts, but very competitive and > > >> > hence a viable option to Intel's Coffee Lake SKUs. If you're > > >> > interested in HEDT, that's a bit harder to answer...for highly > > >> > threaded workloads, the > > >> > Threadripper/X399 platform wins on both performance and price > > >> > (despite the dumb name and attempt to usurp Intel's existing > > >> > platform naming scheme), but if single-threaded performance is > > >> > more important, > > >> Skylake-X/X299 is still the better bet. > > >> > > > >> > CPUs with integrated defenses to the various Spectre variants are > > >> > expected near the end of the year. As it stands now, performance > > >> > wise, Intel's silicon is more negatively impacted via existing > > >> > mitigations, but not enough to make a meaningful difference in > > >> > *most* client workloads for current silicon. Older CPUs (such as > > >> > your Ivy) that do not support INVPCID are > > especially hurt by Meltdown's mitigation. > > >> > Fundamentally, I don't think either one is substantially more > > >> > secure if > > >> your mitigations are current. > > >> > While we've already seen some since the initial 3 CVEs were > > >> > announced, it's widely expected that more vulnerabilities will be > > >> > discovered in the coming months and years as this new and novel > > >> > class of attack > > >> vector is researched. > > >> > > > >> > Major items rumored to be coming soon-ish: > > >> > Intel desktop: Widely expected to have a new 8-core mainstream > > >> > chip out sometime later this year. > > >> > Intel HEDT: Cascade Lake-X expected in Q4, up to 28C, though the > > >> > series may span sockets. Maybe a 22C interim offering? > > >> > AMD Desktop: Zen+ 2000-series just released offering minor > > >> > improvements, Zen 2 expected next year AMD HEDT: Zen+ refresh of > > >> > Threadripper expected soon, up to 32C. > > >> > > > >> > > > >> > My personal take: I'd buy Intel for intensive, lightly-threaded > > >> > workloads, and AMD for intensive, heavily-threaded workloads. > > >> > Anything not intensive isn't going to be different enough to > > >> > matter, so go with whatever floats your boat and/or wallet. > > >> > > > >> > Greg > > >> > > > >> > -----Original Message----- > > >> > From: Hardware [mailto:[email protected]] > > >> > On Behalf Of Brian Weeden > > >> > Sent: Thursday, July 5, 2018 9:45 PM > > >> > To: hwg <[email protected]> > > >> > Subject: [H] Should I rebuild my machine now or wait until the > > >> > next gen of CPUs? > > >> > > > >> > Currently running a core i5-3750K with 32GB of RAM on my main > > >> > machine, which I use for both work and gaming. > > >> > > > >> > Been looking to replace it for several months now, but have held > > >> > off in part because of all the vulnerabilities that keep turning > > >> > up in modern CPUs (Meltdown, Spectre, and all their variants). > > >> > The thing is, my existing CPU is old enough that it doesn't > > >> > support any of the mitigations, so I'm actually less secure now > > >> > than if I bought a new CPU that at least had mitigations against > > >> > the vulns (even if the new CPUs that actually fix them are 6-12 > months away). > > >> > > > >> > So first question is, is the time right to go do this now? > > >> > > > >> > Second question is, Intel or AMD? Is one better off than the > > >> > other from a security standpoint that's worth taking into > consideration? > > >> > > > >> > > > >> > --------- > > >> > Brian > > >> > > > >> > > > >> > > > >> > > > > > > > > > > -- --------- Brian
