back to article 'WHAT THE F*CK IS GOING ON?' Linus Torvalds explodes at Intel spinning Spectre fix as a security feature

Intel's fix for Spectre variant 2 – the branch target injection design flaw affecting most of its processor chips – is not to fix it. Rather than preventing abuse of processor branch prediction by disabling the capability and incurring a performance hit, Chipzilla's future chips – at least for a few years until …

Silver badge

The bug is better than the buggy fix !!!

Until Intel get their act together and release stable fixes, I have disabled Windows Update on my home systems (neither Meltdown or Spectre is much of a threat to a home user). It is in my opinion safer to use a slightly out of date Windows 10 installation than an unstable one. (Edge / IE are not a problem on my system as they are disabled with the Norton firewall denying them internet access so their myriad of bugs do not matter.)

40
37
Silver badge

Re: The bug is better than the buggy fix !!!

Windows 10 is the real vulnerability in your system.

138
64

Re: The bug is better than the buggy fix !!!

I have AMD and I had to install Windows 10 update kb4073290 to get windows 10 stable again. Since I am using Windows 10 Home I don't have the option of disabling the updates.

My AMD computer was not in unbootable state but was showing signs of unstably with at least one random reboot. Random reboot should not happen under any circumstances.

https://support.microsoft.com/en-us/help/4073290/unbootable-state-for-amd-devices-in-windows-10-version-1709

42
0

Re: The bug is better than the buggy fix !!!

> neither Meltdown or Spectre is much of a threat to a home user

I hope you've updated your browser at least because Meltdown and/or Spectre can be used from Javascript. Firefox 57.0.4 should be safe; they've reduced the granularity of the high precision timers. Not quite a fix, but from a browser's standpoint that's really all they can do.

No idea about Chrome, and even less about IE.

72
2

Re: The bug is better than the buggy fix !!!

My understanding is that Microsoft never got as far as including the buggy 8th January Intel microcode in a Windows update.

14
0
Silver badge

Re: The bug is better than the buggy fix !!!

Wouldn't it be easier for the software to just set a bit to say whether it is evil or not?

42
1
Go

Re: The bug is better than the buggy fix !!!

> set a bit to say whether it is evil

You'll be thinking of RFC 3514.

A more general mechanism would make things easier. Where's that feature Linus?

18
2
Silver badge

Re: The bug is better than the buggy fix !!!

Win 7, NoScript, IE, Chrome, Firefox plus Voodoo Shield and killed the MS patch after it bogged the crap out of the PC. Since I don't "surf" but only hit trusted sites I'm not to concerned. The better half, I left the patch in place (along with the same config as mine). She doesn't mind the "hang" and maybe it will help her out. But then, she surfs like crazy.

I've got Linux ready to rock and roll once I can get one piece of software to work with it. Old software but I like it for work with a laser cutter.

15
0
Gold badge
FAIL

Translation "Any performance hit you take by setting this flag is on *you*"

Well in line with US Corporate (Blame the victim for our incompetence) culture. *

*More like what you find growing on cheese that's been in the fridge for a few months after its sell by date than artistic and social refinement.

38
2

Re: The bug is better than the buggy fix !!!

You hope they updated? Who do you think they are James Bond? Most of us have nothing on our systems but data anyone can access on the Internet anyways. It is not like you're going to get the launch codes out of my PC, that's for sure. For the processing power it'd take to gain any worthwhile data out of Spectre or Meltdown you might as well just mine for bitcoins. You'd be ahead of the game. At least with mining you know there's some value in it eventually. On my PC right now you'd just be reading this stupid comment I'm posting. Big whoop de do. Random cache data is low grade ore. It's not worth digging into. Not unless you're focused on a valuable target at least. Which most of us just aren't.

14
42

Re: Translation "Any performance hit you take by setting this flag is on *you*"

If they're so incompetent where were all of the competent ones for the past 20 years? That's a mighty long lunch break they were all on.

10
2
Silver badge

Re: The bug is better than the buggy fix !!!

@paulfederick

Indeed you are correct.I'm avoiding these updates and there is nothing on my home PC of any interest anyway. Anyone wants to take a look, be my guest but you'll be bored after 5 minutes. And what is the likelihood of a successful Spectre attack by browser? Seriously, I'm not running a VM farm, I don't give a shit about this and any of my own personal kit.

There will always be the prissy individuals that are frightened of everything and can't think for themselves though.

11
29

Re: The bug is better than the buggy fix !!!

Updates for Microcode via Windows is for their hardware only - Surface etc. - they have rolled out the new code for those, but not sure they pushed them via Windows Update as yet.

BTW, IE and Edge both been patched to mitigate against the bugs, Chrome needs site isolation enabled (this may be default soon). Firefox - don't know - don't use it.

2
2
Silver badge

Re: The bug is better than the buggy fix !!!

@werdsmith with that attitude you may well find there is something interesting on your home PC before too long.

31
2
Silver badge

Re: The bug is better than the buggy fix !!!

> Indeed you are correct.I'm avoiding these updates and there is nothing on my home PC of any interest anyway.

So you never, for example, do Internet Banking? Or send of any kind of identifying documentation?

The odds of getting caught by it are very, very slim (at least at the moment), but it's very, very easy to underestimate the value of the stuff we actually use our machines for.

Not updating because you think there's nothing of value on your machine is naive. Base your decision on an actual assessment of the risk vs the trade-offs, not on the perceived value of the data on your system,

Just my 2p

42
1
Anonymous Coward

Re: Translation "Any performance hit you take by setting this flag is on *you*"

@ John Smith 19

Exactly, Intel is hoping that by giving consumers a "choice" they'll mitigate their liability. Intel f@#$ed up and this is not a real fix. In fact, it may create problems for less technical users.

This does make me wonder if the three letter agencies didn't request a "fix" like this whether they'd already been using this method to spy on people or just want to now.

11
3
Silver badge

Re: The bug is better than the buggy fix !!!

So you never, for example, do Internet Banking? Or send of any kind of identifying documentation?

Nope.

@Tom7 Nothing sinister has appeared on my PC in decades.

Plenty of interesting stuff though, isn't that the point?

2
11
Bronze badge

Re: The bug is better than the buggy fix !!!

PaulF, Perhaps you don't use your computer for banking but most people do. A baddie does not need to access your whole computer just a few bytes when you're typing your banking passwords.

13
2

Re: The bug is better than the buggy fix !!!

"(neither Meltdown or Spectre is much of a threat to a home user)"

Er, meltdown is certainly a serious threat. It basically blows open your entire systems memory map to any bit of javascript (as an example) that your browser cares to load.

You might as well run an unpacthed and unfirewaled version of windows XP and say you are just as secure.

Install the meltdown patch just to keep your SSL connections secure. Spectre wont be patched by a windows update. You have to patch your BIOS so you can just patch meltdown.

4
5

Re: The bug is better than the buggy fix !!!

"I don't "surf" but only hit trusted sites"

I thought "trusted" sites went out with the dodo. No site is trusted anymore, just more pouplar than others.

How many times have I read of a trusted site dishing out a drive by download due to a SQL injection attack that succeeded a few hours before. Sorry but the only trusted site on the internet is the one that is not returning anything but a blank page.

Unless your trusted sites are writen by yourself or your mates and are only accessible on an isolated intranet?

26
2

Re: The bug is better than the buggy fix !!!

"Sorry but the only trusted site on the internet is the one that is not returning anything but a blank page."

But what if it only looks blank, a clever ploy to disguise the malware?

17
0
Anonymous Coward

Re: The bug is better than the buggy fix !!!

"It's not worth digging into. Not unless you're focused on a valuable target at least. Which most of us just aren't."

So you dont have any internet banking on your machine. Good. You also dont have any mortgage details or scans of ID documents. You also are not going to be editing a selfie with your bank card details visible at any time, I take it you are careful enough to not leave such cards lying on a surface where they may be photographed by accident.

I also assume you have no kids that may be using a computer with a built in webcam?

Everyone is a valuable target for someone. Just because you dont think of attacking someones PC for their data or CPU cycles dont think that someone you dont know and will never meet thinks the same as you. Of all the billions of humans out there someone will want your data or your PC, for money or whatnot. Sure they will prefer the easy targets. Dont be an easy target.

Thanks to meltdown, unpatched you are basically running naked across the internet showing off all your SSL secret keys. Once someone catches a glimpse of your nude SSL secrets they can impersonate those sites. Once you think you are talking to facebook and not them I'm sure they will have plenty of nice little downloadable packages that they can give you.

Ever heard of firesheep? It was a very usefull firefox plugin. It was quite popular amongs starbuck wifi users ;)

11
4
Anonymous Coward

Re: The bug is better than the buggy fix !!!

At last! someone who never does internet banking nor has any interaction with any site that talks to any government or financial body at any time over the internet.

I hope that you havnt browsed to any site that saves your credit card details. Amazon for example are really bad at doing that.

Luckily for you, not doing that means that there is no chance that some future malware delivered from a botnet constructed of 2 year old unpatched home wifi routers abandoned by the manufacturer wont be able to use meltdown to grab the SSL keys and cookie details for your active Amazon connection, then instruct amazon via that authorised and established connection to add a new delivery address, change your password, issue wipe commands to any kindle fire tablet you have, deauthorise any other devices that may allow account recovery, grab details of any other connected accounts while at the same time ordering 1000's of (insert currency here) Amazon voucher codes/cards plus a new PC or two to be delivered to the newly added delivery address before thay get put on ebay or that dogdy amazon card site.

Honestly. People using the internet to buy stuff and manage their accounts was allways a stupid idea. Luckily for you you dont need to patch your machine because you dont do that.

8
3
Bronze badge

Re: The bug is better than the buggy fix !!!

manufacturer wont be able to use meltdown to grab the SSL keys and cookie details for your active Amazon connection, then instruct amazon via that authorised and established connection to add a new delivery address

This is actually one thing Amazon do not too badly. You cannot get your stored credit card details back off Amazon, and attempting to enter a new delivery address requires re-confirming your payment details. Of course, compromise the connection and you can pretend to be Amazon, requesting confirmation of payment details...

9
0
Silver badge

Re: The bug is better than the buggy fix !!!

> Since I am using Windows 10 Home I don't have the option of disabling the updates.

Yes you do.

There are registry keys that can be changed and services that can be disabled to accomplish this.

There are even 3rd party programs, like ShutUp10, that give you a simple slider switch to disable/enable these features without having to go into the registry or services control panel.

8
0
Bronze badge

Re: The bug is better than the buggy fix !!!

00000000

^ US Launch codes inside the USA.

6
0
Silver badge

Re: The bug is better than the buggy fix !!!

"I don't have the option of disabling the updates"

Sure you do. Whitelist all the IP addresses you want ot use on the firewall and Microsoft can't get at your machine.

2
3
Anonymous Coward

Re: The bug is better than the buggy fix !!!

On my PC right now you'd just be reading this stupid comment I'm posting.

"Oooohhh look, someone is browsing Vocaloid Pr0n, let's get our hacker buddies in on this..."

0
0

Re: The bug is better than the buggy fix !!!

"...

>> neither Meltdown or Spectre is much of a threat to a home user

> No idea about Chrome, and even less about IE.

..."

Chrome 63 added a test feature one needs to turn on called Strict Site Isolation (https://support.google.com/chrome/answer/7623121?hl=en), and Chrome 64 is going to address Meltdown/Spectre formally for all users, a version which should be released any second now... (they said the 23rd of January, which I note is today).

5
0
Joke

Re: Translation "Any performance hit you take by setting this flag is on *you*"

Hmm... guess we can either wait for v9+ or a new design. Probably take about the same amount of time for either. While they dance, we wait.

1
0

Windows 10 Home doesn't have the option of disabling the updates

Can't you add

127.0.0.1 microsoft.com

to your hosts file (windows has one buried somewhere)? That should fix it.

1
1

Re: The bug is better than the buggy fix !!!

So you never, for example, do Internet Banking? Or send of any kind of identifying documentation?

Nope.

@Tom7 Nothing sinister has appeared on my PC in decades.

Plenty of interesting stuff though, isn't that the point?

==

Mr Krebs says it best, YOU thinking your PC is not 'interesting' doesn't mean it isn't of interest

https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

3
0
Silver badge

Re: The bug is better than the buggy fix !!!

Firefox 57.0.4 should be safe; they've reduced the granularity of the high precision timers

Reducing the resolution of the high-precision timer, and disabling shared arrays, is mostly theater. There are many ways to get a sufficiently high-resolution timer in Javascript.

Note that in the original Spectre paper, the authors didn't bother to use the Javascript high-precision timer, because it was already disabled in Chrome. Door closed, horse bolted.

2
0
Anonymous Coward

Re: Reducing the resolution of the high-precision timer

"Reducing the resolution of the high-precision timer"

Are you sure you mean what you've written?

Resolution and precision are separate concepts, and accuracy is yet another.

There are lots of places around the web where this distinction is discussed; go have a read and find a description that suits your needs (I'm not even going to try).

Or try talking to someone who understands the technology of measurement, e.g. someone who understands what might be going on when a digital frequency meter says the mains frequency is 55.000645 Hz. It's about time.

Are there any "security researchers" who even understand the distinction, let alone are capable of explaining why the distinction doesn't matter to their alleged "exploit"?

1
0
Roo
Silver badge
Windows

Re: The bug is better than the buggy fix !!!

"Seriously, I'm not running a VM farm, I don't give a shit about this and any of my own personal kit."

I'm in the same boat as far as my desktop box goes, but I do give a bit of a shit because quite frankly having a machine go tits up on you costs time and effort to resolve... I have found that prevention is better than a cure - simply because it wastes less time.

1
0

Re: The bug is better than the buggy fix !!!

'Random reboot should not happen under any circumstances.' - incorrect, unless you are using ECC registered memory then your computer is susceptible to data corruption from outside sources such as solar flares. Some articles have reported that with 4GB memory you are likely to have at least 1 bit error every 48 hours, whereas with ECC registered memory it's more like 2.7 million years.

Random reboots can also be the result of poor code, especially drivers, though you would expect windows to highlight this in this case.

0
0
Silver badge
Pint

Good man Linus! Pint for you.

You there Intel??? No beer for you.

134
5
Anonymous Coward

@wolfetone:

"Good man Linus! Pint for you.

You there Intel??? No beer for you"^H^H^H^H^H^H^H^H^H^H^H Your shout, we think.

What's that you say, Intel? You left your wallet at the office? Along with your brains?

There! Fixed that for you, @wolfetone. You're welcome.

17
3
Silver badge

"Let 'em have it Linus"

Generally I'm not a fan of Linus's swear attitude. But in this case, Intel deserved everything they got.

30
2
Silver badge

Re: "Let 'em have it Linus"

As usual, I think that Linus is exhibiting extreme tolerance.

I'd have really lit into the fucking idiots.

46
2
Silver badge
Pint

@AC

A pint for you!

1
2
Bronze badge

Re: "Let 'em have it Linus"

"As usual, I think that Linus is exhibiting extreme tolerance."

Tolerance !!!!!!!!!!!

the man is a c**k

4
32
Silver badge
Headmaster

Re: "Let 'em have it Linus"

the man is a c**k

Cork? Could well be.

I expect that if you throw him into a pool or river, he'll float.

10
0

Re: "Let 'em have it Linus"

"I expect that if you throw him into a pool or river, he'll float."

He's a witch!

11
0

Re: "Let 'em have it Linus"

"Cork? Could well be.

"I expect that if you throw him into a pool or river, he'll float."

I forget, does that mean he is or isn't a witch?

EDIT: pipped at the post by Nunyabiznes!

7
0

Re: "Let 'em have it Linus"

He's a witch!

Or a duck.

9
0
Go

Re: "Let 'em have it Linus"

I am definitely a fan. How hard would it be for Linus to walk away from all of this and ignore the poison atmosphere and open up another beer? Somebody shouting like this cares a lot, and they're not passively going to let the hooting monkeys waving flaming tree branches in the front yard get away with poo-flinging shenanigans. I'm sorry but sometimes it does seem to me like threatening somebody's kids with a spanking is exactly what is needed.

4
0
Silver badge

I wonder if there's a compromise. Introduce another flag that shows it's not broken, as Linus put it but in the short term is toggled by Intel's boot time flag setting and in the longer term is permanently set to show that it's a properly fixed design.

1
9
Silver badge

"I wonder if there's a compromise. Introduce another flag that shows it's not broken"

Isn't that the same as a flag to say it's secure? This is what Linus is wanting - future CPUs to state "I'm fixed" so that the performance-sapping workarounds aren't applied. Intel on the other hand is wanting the security fix to be opt-in, which as Linus rightfully states as insane.

21
1
Silver badge

" Intel on the other hand is wanting the security fix to be opt-in, which as Linus rightfully states as insane."

AFAICS Intel seem to be saying that, at least in the short term, their only option is a performance-draining one which they want to make opt-in. That doesn't preclude them having a better option in the long term, even if they have no present intention and are forced into it. A flag which says "I'm fixed" could mean fixed by having opted in on the immediate option but fixed by a redesign in the better, long term version.

The boot-time, user-settable flag would be the choice of speed vs security. With a fixed design this would become a no-op because the user would have security and speed.

The run-time, read-only flag would simply tell, if clear, that any mitigation needed would have to be in S/W. If set the S/W itself would have any indication of whether it was set as a user choice or by the redesign.

This would only work if, speed issue apart, the microcode and hardware fixes were equivalent from the user point of view. Intel clearly aren't going to be able to deliver the full, no speed penalty fix that Linus - and the rest of us - want in the short term via microcode changes. If, however, they were able to deliver the "I'm fixed" flag that Linus asks for as part of the short term microcode fix then they'd be wise to listen to him. In the meantime Linus - and the rest of us - are going to have to live with what can be delivered in firmware changes to microcode.

3
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018