back to article Intel left a fascinating security flaw in its chips for 16 years – here's how to exploit it

A design flaw in Intel's processors can be exploited to install malware beneath operating systems and antivirus – making it tough to detect and remove. "It's a forgotten patch to a forgotten problem, but opens up an incredible vulnerability," said Christopher Domas, a security researcher with the Battelle Memorial Institute, …

  1. Tom Womack

    Thanks for this interesting description of an interesting problem!

    1. boltar

      "Thanks for this interesting description of an interesting problem!"

      Don't you mean "super-interesting" like in the article? I'm not sure if thats the Ring 0 to "very interesting"'s Ring 3 or perhaps its just another silly americanism that grates on the ears. I suppose Ring -1 would be "Awesome interesting".

      1. Mark 85 Silver badge

        Perhaps the "interesting" part is "one ring to rule them all and it's flawed".

        1. rusk123

          'minus' one ring to rule them all

      2. Fungus Bob Silver badge
        Headmaster

        perhaps its just another silly americanism that grates on the ears"

        No, definitely British. Tony Webster and David Harris-Jones were abusing the English language this way in the 1970's.

      3. asdf Silver badge

        ah that makes sense

        Errata started in 1995 eh? Wasn't that about the time the NSA quit fighting against allowing the proles in the US (see harassment of Zimmerman) to use strong open public key encryption (as opposed to pushing the Clipper chip fail they came up with)? Guess we now know why.

        1. Anonymous Coward
          Anonymous Coward

          And it's replacemet bug is?

          The next logical question is, where is the replacement bug hidden?

  2. Anonymous Coward
    Anonymous Coward

    The UBIK flaw

    And then he recognized the profile. I wonder what this means, he asked himself. Strangest thing I've ever seen. Most things in life eventually can be explained. But - Joe Chip on a fifty-cent piece?

    It was the first Joe Chip money he had ever seen.

    He had an intuition, chillingly, that if he searched his pockets, and his billfold, he would find more.

    This was just the beginning.

    1. Loyal Commenter Silver badge

      Re: The UBIK flaw

      +1 for the PKD reference. I wonder if this flaw can be manipulated by purple beams from intelligent satellites in space?

  3. Anonymous Coward
    Anonymous Coward

    a ha ha ha ha ha :(

    There have been a few debates on El Reg over the years, where the *real* nerds have pointed out that all the FOSS in the world can be compromised if the compilers are hooky.

    At which point I (and others) have logically progressed that argument and pointed out that it's no good having faith in a compiler you wrote if you are then going to run it on a chip whose architecture and firmware you hadn't had control off. To a general air of "when has a chip ever had a bug ?".

    Stories like this demonstrate that you really need to draw an arbitrary line beyond which you are forced to accept you can't ensure 100% security.

    1. Destroy All Monsters Silver badge
      Windows

      Re: a ha ha ha ha ha :(

      I throw myself into the dust as to your wisdom, Oh Anonymous Sage!

    2. Anonymous Coward
      Anonymous Coward

      Re: a ha ha ha ha ha :(

      True, but at least Linux will run on open architectures like OpenRISC, a platform that Windows will probably never colonise. So the truth is that, while there is a limit to how much we control, we control a damn sight more than any Windows user can hope for.

      We know about this flaw now, and so it's theoretically possible to guard against the possibility of exploits where possible or to replace the aging boxes affected by the flaw.

      1. Charles Manning

        re: OpenRISC

        OpenRISC... The CPU code is open, but what about the package that cooks the VHDL down to fit on the ASIC/FPGA? What about the program that writes the bitstream to the FPGA.

        Remember that's basically how Stuxnet works...

        There is no complete guarantee.

        1. Anonymous Coward
          Anonymous Coward

          Re: re: OpenRISC

          There is no complete guarantee.

          No, there isn't, but the fact remains there's a greater guarantee here than on other OSes.

          The only true guarantee is to go and build it yourself. For most of us though, we're willing to take a RISC.

      2. Charles Manning

        Re: a ha ha ha ha ha :(

        "We know about this flaw now,"

        Yes we know about it. We also know how drugs get into prisons, yet every day prisoners around the world get stoned.

        Security is like virginity and balloons: one prick and it's gone. One little vector is all you need.

        Sure Windows has more vectors, and they're likely easier to attack, but basically we have a situation that you just have to assume anyone can get to anything they want to.

        Not much different to the physical world really. Locks can be picked, cops can be bribed. Blackmail and threats will get a sufficiently determined and resourced person anything they want.

        1. Michael Wojcik Silver badge

          Re: a ha ha ha ha ha :(

          Security is like virginity and balloons: one prick and it's gone

          A sophomoric reducto ad absurdam. No one who actually studies security in any serious way would make such a statement.

          Security is not a binary condition. It's a measure of relative costs under a threat model.

        2. Alan Brown Silver badge

          Re: a ha ha ha ha ha :(

          "Security is like virginity and balloons: one prick and it's gone. One little vector is all you need."

          Which is why onion layer security is so important. Yet the world insists on egshells.

      3. TheVogon Silver badge

        Re: a ha ha ha ha ha :(

        "True, but at least Linux will run on open architectures like OpenRISC, a platform that Windows will probably never colonise."

        Only because there is no demand for it. OpenRISC doesn't really protect you from anything as there are so many other hardware and software dependencies involved.

        Windows already supports Arm, IA-32 and x64 which are by far the largest current market segments. And Windows has previously supported Alpha, MIPS, Itanium and PowerPC, so additional processor support is not a problem if there was a need for it...

        1. Alistair Silver badge
          Coat

          Re: a ha ha ha ha ha :(

          @Vogon:

          Considering the slippery slope MS has decided to start down, and the state of ALPHA MS when it was dropped, I wouldn't expect that MS will get much past putting Windows on more than one or two Arm processors. Far too many proprietary tweaks in those. I'll admit NT/2k on alpha smoked like little else I've seen run under the windows 'brella, but as it was, there was bugger all beyond the OS you could run there other than highly proprietary code (was used in OTA payment transfers app, in house software, one off case). And, yes, MS got windows running on MIPs, sadly in every case I saw, it ran off cliffs with astonishing regularity.

          1. Alan Brown Silver badge

            Re: a ha ha ha ha ha :(

            The problem with Windows NT on "other platfoms" is a tale of two cities.

            One is the NT OS (ancestry being VMS and Multics) - which is incredibly solid, has permission models which Unix can only dream of and runs just fine on other architectures

            The other is the GUI layer, which is a tangled clusterfuck combined with a sucking quagmire and throws virtually all the finer points of the OS permissions out the window.

            The fact that Microsoft tied the two together so indivisibly means that the entire mess is best avoided.

        2. Def Silver badge

          Re: a ha ha ha ha ha :(

          And Windows has previously supported Alpha, MIPS, Itanium and PowerPC...

          Xbox360 was PowerPC based, so a cut down Windows kernel was running there more recently than some of the other architectures mentioned.

        3. CFWhitman

          Re: a ha ha ha ha ha :(

          "Windows already supports Arm, IA-32 and x64 which are by far the largest current market segments. And Windows has previously supported Alpha, MIPS, Itanium and PowerPC, so additional processor support is not a problem if there was a need for it..."

          That's a rather rosy viewpoint to take of Windows cross-architecture support. Windows supports x86 and x86_64, yes. Support for anything else has to be qualified, and a lot of it was never very useful.

          Windows has had some kind of ARM support for years. It's biggest success in this area was Windows CE/Windows Pocket PC. Of course Windows CE and company wasn't really the same operating system as Windows on the desktop. It had its own set of software and not much in common other than a standard approach to the UI. It fell into obscurity with the rise of the touch UI and the operating systems that relied on that scheme for mobile devices.

          Now Windows supports ARM in a different way. It's approach this time is similar to that of Android to run common software on multiple architectures with a virtual machine or something like one. Of course that approach has its limits, but it has its advantages as well. The problem for Windows here is that there is not a lot of software that runs that way. Most of the applications for Windows, especially the popular ones, only run on X86 variants. Windows has ARM support, but not for the programs people think of when they think of Windows.

          Windows used to have Apha, MIPS, and PowerPC support back in the late nineties. However, not that many apps were ever released for those architectures (and almost all of the few that did were server applications), and Microsoft ended support. Again, the Windows applications for x86 wouldn't run on those systems. A similar situation existed for Itanium later on.

          So yes, Windows has nominally supported a number of architectures at different times, but none of them have had the applications available to make Windows a real success. At this point Windows has basically been stuck with x86 based architectures. Theoretically, if x86 based architectures were to be cancelled, then application vendors would port their applications to whatever Windows moved to. However, that is not likely to happen.

          Of course open source software tends to adjust to different architectures more easily. Most Linux applications have been compiled for a number of architectures because they are open source. This makes is so Linux has been ready for ARM, MIPS, Power, or Itanium, etc. desktops and servers for a while.

          However, this doesn't make Linux (as in GNU/Linux, the operating system) ideal for mobile devices. Right now, Android and iOS are the successes there. Will convergence ever actually happen (with Windows RT/Modern UI, Ubuntu Snappy, Android, or whatever)? I'm not sure. There are many issues to be dealt with. It seems to me that you would need to have either two sets of applications that ran on the same base, one for mobile interfaces and one for desktop interfaces, or you would need to have one set of applications that had dual interface modes.

    3. gerdesj
      Linux

      Re: a ha ha ha ha ha :(

      " .... To a general air of "when has a chip ever had a bug ?". ... "

      You may not be aware of the CPU errata driver that loads new microcode into the CPU at boot on many OSs. So to those espousing the above - get off my lawn and back to school with you! You may be too young to remember such classics as the FDIV bug.

      All levels of a computing device, from case to application (and not stopping at the keyboard, for that matter), have bugs and design flaws in them.

      To el reg: thanks for a great article.

      1. boltar

        Re: a ha ha ha ha ha :(

        "All levels of a computing device, from case to application (and not stopping at the keyboard, for that matter), have bugs and design flaws in them."

        Very true. However it doesn't change the fact that System Management Mode was a profoundly stupid idea, probably one of the dumbest Intel ever had. This isn't the first hack involving it and it almost certainly won't be the last.

        1. Anonymous Coward
          Anonymous Coward

          Re: a ha ha ha ha ha :(

          Why is that?

        2. John Savard Silver badge

          Re: a ha ha ha ha ha :(

          I definitely don't like the idea of placing the reserved memory area for SMM at the end of the first 512 megabytes of memory. That means that the largest array one can use on one's computer is 512 megabytes smaller than all RAM available. Although I suppose the virtual memory hardware means that memory can look contiguous when it really isn't, so this only comes up if one is turning that off for maximum speed...

      2. launcap Silver badge

        Re: a ha ha ha ha ha :(

        > " .... To a general air of "when has a chip ever had a bug ?". ... "

        > classics as the FDIV bug.

        I remember (many many moons ago) arguing with a colleague about the use of non-Intel chips (in this case AMD). He was adamant against the use of non-Intel on the basis that "Intel were the premier chipmakers and produced chips with no errors - you always knew where you were with Intel". Then the next day the news of the FDIV bug came out..

        Sadly, he didn't change his worldview even when faced with the evidence. So we carried on buying Intel-only computers despite the cost premium.

      3. Pascal

        Re: a ha ha ha ha ha :(

        "You may be too young to remember such classics as the FDIV bug"

        My favorite quote at the time - "We are Pentium of the Borg. Division is futile. Prepare to be approximated."

      4. Solmyr ibn Wali Barad

        Re: a ha ha ha ha ha :(

        "such classics as the FDIV bug"

        And F00F bug that brought processor to a grinding halt.

        www.drdobbs.com/embedded-systems/the-pentium-f00f-bug/184410555

        1. streaky Silver badge

          Re: a ha ha ha ha ha :(

          F00F was easily fixed at the OS level though.

    4. Charles Manning

      Re: a ha ha ha ha ha :(

      Quite

      Even if you have the full source code for the CPU, have you checked the compiler that then compiles the code into gates... and the software that then writes the gates to silicon.

      These days even memory controllers have CPUs and code in them. Your disk driver has 2 or 3 ARM cores in it. Got the code for them? Checked it? Checked the compilers?...

      A dma and a small state machine are all that is required to make your whole motherboard address space visible over an ethernet port. It would be an afternoon's work to hide that inside an ethernet controller.

      After a while you just have to make some assumptions like you do in the physical world.

      1. Michael Wojcik Silver badge

        Re: a ha ha ha ha ha :(

        After a while you just have to make some assumptions like you do in the physical world.

        You always, right from the beginning and at every moment thereafter, have to make assumptions about security. You have to make assumptions about everything. Descartes showed that with his "Evil Genius" thought experiment, and he's hardly the only one to have made the argument.

        The epistemological scandal is inescapable. There's no way to guarantee that you know anything with certainty.

    5. Anonymous Coward
      Anonymous Coward

      Re: a ha ha ha ha ha :(

      To a general air of "when has a chip ever had a bug ?"

      I think you must have dreamt that

    6. streaky Silver badge

      Re: a ha ha ha ha ha :(

      To a general air of "when has a chip ever had a bug ?"

      Those people are crazy, they happen all the time. I think the issue is more when has a chip had a security bug that somebody found and it hasn't been possible to mitigate it with a microcode update. I don't think it's ever happened before.

      Given the timing of the introduction and precisely where this bug is in the CPU one has to start asking themselves rationally if it was intentionally introduced and if Intel should be doing a product recall; that's the major issue here.

      1. Mpeler
        Coat

        Re: a ha ha ha ha ha :(

        That's not a bug: it's a feature...

    7. Sam Liddicott

      Re: a ha ha ha ha ha :(

      You don't actually need to draw the line, just recognize that one might be drawn...

    8. Michael Wojcik Silver badge

      Re: a ha ha ha ha ha :(

      Stories like this demonstrate that you really need to draw an arbitrary line beyond which you are forced to accept you can't ensure 100% security.

      Anonymous amateur rediscovers threat models - film at 11.

    9. Dodgy Geezer Silver badge

      Re: a ha ha ha ha ha :(

      You CAN have security - at least security against external world attacks. (Seeing that human error produces far more incidents that the most assiduous attackers, that may not be 100%.)

      All you need to do is to dig up some sand, then extract some pure silicon from it, then design your fab plant......

  4. TReko

    We've got our FBI on you

    According to Mr Snowden, this SMM exploit is/was used by our NSA friends in SOUFFLETROUGH, SCHOOLMONTANA and DEITYBOUNCE for DELL

    1. Anonymous Coward
      Anonymous Coward

      Re: We've got our FBI on you

      "used by our NSA friends in" or designed by our NSA friends for..?

    2. launcap Silver badge

      Re: We've got our FBI on you

      >SOUFFLETROUGH, SCHOOLMONTANA and DEITYBOUNCE for DELL

      Case NIGHTMARE GREEN?

      1. Destroy All Monsters Silver badge
        Alien

        Re: We've got our FBI on you

        Another software disaster as David Cameron hatched unobstructed.

      2. lawndart

        Re: We've got our FBI on you

        @ launcap

        If the Black Chamber muck about too much I'll have to get Pinky to tinker with my camera.

    3. Anonymous Coward
      Anonymous Coward

      Re: We've got our FBI on you

      Now why might I not be surprised? Aside from the fact that a multi-billion dollar agency with some of the better hackers on the planet might detect it and keep it hidden since the same head mo-fo in charge is also responsible for offensive operations as well as defensive.... Hell, they probably never needed an order to make such a modification. Given the sheer complexity of systems today at the component level (software and hardware), such a vulnerability was bound to happen. Just go spelunking to find it. Which gives more credence to the accidental occurance since Intel found and fixed it.

      1. Alan Brown Silver badge

        Re: We've got our FBI on you

        "Hell, they probably never needed an order to make such a modification"

        This is far more likely.

        Giving orders for such things means that someone will blab eventuallly. Finding holes and keeping sctum means that knowledge never leaves the lab which found it.

        Remember this is the same NSA which advised against a bunch of password space not being used in the 1970s and it took 30 years for the holes in the DES algorithm behind that advice to be unearthed by civilians.

        ISTR a bunch of discussion at the time that they gave up on Clipper along the lines that they must've found a better backdoor - and in such cases where they suddenly go quiet on something I'd say that's a deliberate hint that they're not allowed to release something but civilians should be paying attention to what's NOT being said.

  5. Anonymous Coward
    Anonymous Coward

    Is this a unique or surprising issue?

    This may be an ignorant question because I have not looked in detail at Intel based architectures since 286 days but if you have the ability to run code at ring 0 aren't there other ways to access these negative levels? Anything that cna be a bus master or capable of memory writes, for example if you have access to a device with DMA capability can't you use it to write whatever you want wherever you want or does the Intel architecture prevent access to certain locations?

    1. Smooth Newt

      Re: Is this a unique or surprising issue?

      Digital Equipment Corp made the first page of virtual memory no access in VAX/VMS, because 0 is such a special number for pointers, unused values etc. The resulting exceptions identified pointers set to null etc. Maybe hardware designers should make physical address 0 no access for similar reasons.

      1. Anonymous Coward
        Anonymous Coward

        Re: Is this a unique or surprising issue?

        On the Amiga while running Enforcer, the interrupt pointer memory location 0 was remapped to internally catch null pointers. It was one thing (Mungwall and Steve Tibbets' VirusX the other two) that was run while I was screening uploads to the Amiga Fora on CompuServe. Which should explain my zero patience with null pointers even though it's my code doing the checking on x86/x64.

      2. mevets

        Re: Is this a unique or surprising issue?

        If you have the ability to reprogram the apic, you have the ability to reprogram the page tables, so this wouldn’t help.

        Most OSes do not map 0; but kernel code certainly can, even in VMS.

  6. Bob H

    Intel Media Processors

    Now I am wondering if any of Intel's CE chips used in pay TV are vulnerable to this exploit. Obviously it depends on the ability to execute privileged code to begin with but that isn't improbable.

  7. Mage Silver badge
    Pirate

    Require root or administrator access ...

    If a miscreant has root or administrator access, then you are stuffed anyway. So while this is fascinating, it's hardly a worry.

    Four year old + CPUs would have been prehistoric in 1995 but isn't really old at all in 2015. (ironic that NT & UNIX & OS/2 etc could use a 1995 Pentium Pro properly but Win95 went slower on it).

    Now if the bus on a lithium battery pack could inject code, then I'd be worried.

    1. Anonymous Coward
      Anonymous Coward

      Re: Require root or administrator access ...

      The difference is, you can't find the malware once it's there. If owned by using a 0-day exploit, you will never find it or know it's there.

      1. Anonymous Coward
        Anonymous Coward

        Re: Require root or administrator access ...

        "If owned by using a 0-day exploit..."

        Or a quick boot before delivery...

        Or a "rogue" vPro/AMT packet...

        Or a glancing visit by an evil maid...

        Or a MiTMed BIOS update...

        Or...

    2. Dr. Mouse Silver badge

      Re: Require root or administrator access ...

      "If a miscreant has root or administrator access, then you are stuffed anyway."

      If you perform regular audits, system monitoring, and other checks you can pick up malware installed in the OS. If all else fails, you can wipe everything... "Bang! And the malware's gone!"

      If this bug is exploited, the code lives in the CPU's firmware. Virus scanner? Nope, can't see it. Reformat and reinstall? Nope, still there. As with love, our "normal approach is useless here".

      1. streaky Silver badge

        Re: Require root or administrator access ...

        "requires root" when you're talking about exploiting systems isn't any sort of barrier. Now one assumes on systems with not unreasonably old CPUs if you get rooted then your hardware is junked. You have no way of finding or removing something put there with this so why wouldn't you make that assumption.

        System compromises tend to chain a bunch of exploits together (for example web app -> shell unpriv -> root), now they can add a little something extra to the end; and that something is a pretty nasty kick in the hardware teeth.

        Do you own a dedicated server hosting business? How do you know your systems aren't compromised with this? Oh, yeah, you don't.

    3. Solmyr ibn Wali Barad

      Re: Require root or administrator access ...

      "ironic that NT & UNIX & OS/2 etc could use a 1995 Pentium Pro properly but Win95 went slower on it"

      That's because PPro ran 16-bit code very slowly. Intel did caching changes in PII (OK, quick search suggests segment register caching was the fix).

      tomshardware.com/reviews/intel-pentium-ii,20.html

  8. Duncan Macdonald Silver badge

    DMA device ? BIOS ?

    Many devices have DMA access to memory - does the MCH block access to the SMM RAM area from DMA devices (eg a graphics card or a disk drive)? If it does not then there is a much bigger hole.

    As the SMM code is loaded from the BIOS - any technique that allows the BIOS to be reflashed also allows the SMM to be reprogrammed.

  9. Measurer

    Genuine question!

    Back in the dim and distant, when I was messing with Z80 CPU dev kits with PIO's for my HNC, the PIO control registers (to generate NMI's on particular input combinations etc.), were at fixed addresses and not mapped (or remappable) to memory locations. I realise I'm comparing a dingy to a supertanker, but why on a Pentium class CPU is the APIC control register mapped to memory and not at some hard coded address which is off limits to anything other than the SMM?

    1. Simon Harris Silver badge

      Re: Genuine question!

      When peripherals and controllers are included on the CPU, it is, at least with Intel, the case that they are relocatable to allow them to be reconfigured to fit around RAM or other external devices. This goes way back to the 80186/80188 (effectively an 8086/8088 with on-board interrupt, DMA and timer controllers, and a few extra instructions) mostly used for embedded systems. The on-board systems could be moved around the memory or IO map even as long ago as 1982 on this slightly larger dinghy.

      1. This post has been deleted by its author

        1. Mike 16 Silver badge

          Re: Genuine question!

          -- I thought I was the only person on the planet who knew about it's existance. --

          You, me, and all the wannabe PCjr cloners who heard the rumors that "peanut" would be 80188-based and pre-bought carloads. Than someone noticed that PC-DOS used "reserved for future expansion" interrupts as system calls, and Intel had assigned them to things like the on-board DMA engine. Other rumors suggest that IBM (and only IBM) were allowed to return their 80188s for credit on the 8088s they ended up using, but I was never a Rat Mouth confidante and as my Gran used to say upon hearing a rumor "Were you there?" Nope.

          1. IvyKing
            Flame

            DOS and reserved interrupts

            Tim Paterson did pay attention to Intel's reserving interrupts when he wrote QDOS/86-DOS for Seattle Computer Products, the lowest interrupt used by DOS was int 20H. It was IBM and maybe Microsoft that used the reserved interrupts for the PC's ROM-BIOS. IBM also made the blitheringly stupid mistake of using the NMI for the 8087 co-processor despite Inetl clearly stating the the NMI was NOT to be used for the 8087.

        2. JQW

          Re: Genuine question!

          There were certainly 80186 processors fitted in some of the hardware I had to deal with 20 years ago.

          I'm sure there was one in the original version of 6 port serial card which I had to deal with almost daily, a horrible ISA card that needed a 128K hole in the PC's memory map to function. Finding a suitable hole wasn't that easy, and was made worse when customers wanted two or even three of these in one machine. You could just about get them to work on EISA based systems, but not all of them. Anyway....

          There may have also been one in a fax processor board we also used.

          1. Hargrove

            Re: Genuine question!

            Oh Joy! Some people do still speak my language!!

        3. Christopher E. Stith

          Re: Genuine question!

          Tandy/Radio Shack had a whole line of models that were 81086. NEC v20 and v30 chips used in things like my HP 95LX, 100LX, and 200LX had 80186-compatible instruction sets.

          Anyone who says the 80186 never existed is an idiot with a poor grasp of the history of the field and no willingness or ability to use a web search engine.

        4. DJV Silver badge
          Thumb Up

          @1980s_coder

          I used to program Burroughs/Unisys B2x series computers (designed by Convergent Technologies) in the 1980s - the B25 used the 80186. More info here:

          https://en.wikipedia.org/wiki/Convergent_Technologies_Operating_System

        5. Michael Wojcik Silver badge

          Re: Genuine question!

          Some of IBM's XStations used 80186s, with TI TMS34020 or similar as the GPU.

          Can we wax nostalgic about the 34020 too? When I was at IBM, circa 1990, I wrote code for the thing, for a document-imaging system that I don't think was ever released. Mostly I pushed ddx routines for X11 down to the card, actually, which makes me wonder if any of that code ended up on the XStations.

      2. bazza Silver badge

        Re: Genuine question!

        I too am old enough to remember the 80186. Research Machines (RM) in the UK used them in their schools-focused PCs in around about 1986? I remember that they ran a slightly wonky version of DOS...

        1. Karl Austin

          Re: Genuine question!

          Pretty sure that's what the machines in the IT lab at my secondary school were - right up until 1994/95!

      3. Old Tom

        Re: Genuine question!

        We hit a bug in early versions of the 80186, if an interrupt came in while my dma transfer was going on, the interrupt controller set the ack pin during the transfer of the last byte. Thus the last byte was regularly corrupt - but to a consistent value, which turned out to be the relevant interrupt number.

  10. Anonymous Coward
    Anonymous Coward

    Wasn't there an SMM rookit presented at Blackhat 2008 ?

    1. Anonymous Coward
      Anonymous Coward

      bluepill iommu rootkit 2006?

  11. TRT Silver badge

    So, who was stealing all the data and trying to scare off the security guards?

    Mr Hypervisor!

    Not so quick... *peels off rubber mask*

    The creepy janitor!

    And I would have gotten away with it too, if it wasn't for you meddling kids.

  12. Anonymous Coward
    Anonymous Coward

    AMD?

    good, bad or worse?

    1. Anonymous Coward
      Anonymous Coward

      Re: AMD?

      significantly less stinking from my perspective

      anon

  13. Dan 55 Silver badge
    Trollface

    None of this matters anyway

    As yet nobody's published hard evidence on ring -3 which was implemented at the NSA's request.

    1. DropBear Silver badge
      Terminator

      Re: None of this matters anyway

      Nonono, ring -3 is where the Master Control Program lives. But it's all very hush-hush you know...

      1. Michael Wojcik Silver badge

        Re: None of this matters anyway

        Nonono, ring -3 is where the Master Control Program lives

        Even worse - all of the MCP's routines are available to Sark. And you never know where that bastard will end up.

  14. Anonymous Coward
    Anonymous Coward

    so seriously noone sees the connection?

    There is no security in any sense of the word since microsoft and intel stole computing, our whole world was undermined by what can be at best be called "design" stupidity and at worst intentional sabotage for the purpose of espionage.

    Given that every ms and intel offering was unfit for purpose how about they are both made to release all patents and all documentation into the public domain that or they can return all the cash they extracted over the last four decades.

    Hopefully then someone with ethics can create, without legal interferance, the secure computing platform we have been denighed since home computing changed from microcomputers to "PERSONAL",ha, computers

    1. This post has been deleted by its author

    2. Karl Austin

      Re: so seriously noone sees the connection?

      Unfit for purpose? So the computer you've got right now, to browse the internet on, play games on, read your email isn't fit for the purpose you bought it for? so how come you're managing to use it for the purpose you bought it for?

      1. Anonymous Coward
        Anonymous Coward

        Re: so seriously noone sees the connection?

        My purpose is to be able to do all those unix compatable operations and yet not loose my personal information in the process.

        You can buy a PC with windows for very little but the hidden cost of recovering your identy isn't made plain at point of sale.

        I suppose if you are unlikely to get credit or own nothing of value then it is no real loss using windows or even volenteering for medical experimentation. However those that do have something to loose have been using windows in the mistaken belief that by buying a product these companies wouldn't treat you as a criminal without the right to privacy.

        That we hear so many reports of data going astray and "experts" saying it is impossible to make a finished product without bugs and security holes this says just how much we have all been sold down the river

        1. Anonymous Coward
          Anonymous Coward

          Re: so seriously noone sees the connection?

          Any large scale piece of software will have bugs, it's inevitable - humans make mistakes, especially when it comes down to the lower levels of working with memory pointers etc. or even lower down and working with bits of machine code. Very few people can truly visualise what a tiny change in one part of the code might do to the rest of it - they think they can, but that's where bugs come from.

          An operating system is not a small trivial piece of software. All software that does anything useful has bugs.

          1. Anonymous Coward
            Anonymous Coward

            Re: so seriously noone sees the connection?

            "Any large scale piece of software will have bugs" - this is a lie, yes people can make mistakes during coding however they should all have been removed before a professional company starts selling a product as finished. That this lie has been so throughly accepted by those without a understanding of what used to be called a professional approach to coding says why PCs and their software get away with being so buggy.

            That Microsoft have managed to convince the world that software engineering is more complex than any other human activity shows just how guillible most people are.

            Computing has to be the most contained and controlled of all the sciences and yet without the external conditions other sciences have to counter the leaders in the field can't/don't make it work.

            The only people who cannot envisage "what a tiny change in one part of the code might do to the rest of it" should not be allowed to call themselves Software Engineers or talk about this subject as though they had a clue.

            I can forgive the ignorant for failing to understand that in professional Software Engineering the code is modular and should be self contained. This way when you make each module secure within a complex system then you have a chance to make the whole system secure, this sadly is something that MS do not or need to do. Microsoft can instead sell buggy code and the idea that it is impossible for anyone to create anything complex without fking it up and people like you believe them and spread their lies to others.

            Before there was Microsoft there were complex operating systems that worked without bugs admittedly MS are coding for a generic hardware platform but then again that is what abstraction is for.

            The particular "fault" under discussion here can at best be seen as the right hand not knowing what the left is doing, through not caring enough to fix a stupid error, onto intentionally leaving backdoors.

            There is no excuse for this "fault" to exist in "finished" products and to be fair intel should be recalling and replacing said "faulty" equipment

  15. Named coward

    512MB

    512Mb mark in physical RAM? in 1995? What am I missing?

    1. BinkyTheMagicPaperclip Silver badge

      Re: 512MB

      512MB was a lot of memory in 1995.

      It's also the limit of memory if your operating system using LDT tiling, but I suspect that's not relevant.

  16. J J Carter Silver badge
    Big Brother

    NSA code runs at ring -3, right?

    1. TRT Silver badge

      The president's ring is obviously -1. The NSA are not going to kiss it.

  17. JakeMS
    Joke

    Just goes to show..

    If you really really want a secure PC, never connect it to the internet, not even for a single millisecond, encrypt the HDD using LUKS, unplug it, store it away and never turn it on again. :-).

    Now that is what I call a secure PC!

    1. launcap Silver badge

      Re: Just goes to show..

      > Now that is what I call a secure PC!

      You forgot:

      Crush it with a Victorian Steam Press (hack that!)

      Collect crushed bits in hand-forged steel box and weld shut

      Cover steel box in concrete. We recommend at least 30cm thickness.

      By rowing boat, take box to nearest deep ocean trench. Preferrably one of at least 2KM depth

      Push box over side. Before pushing, check to make sure you are not actually tethered to it.

      Run like hell when the Deep Old Ones come after you for littering.

    2. Charles 9 Silver badge

      Re: Just goes to show..

      Wanna bet they can STILL access it by specially tuned microwaves and then get the password out of you with rubber hoses?

      1. This post has been deleted by its author

    3. tom dial Silver badge

      Re: Just goes to show..

      No processor that accepts a microcode load (Pentium and earlier?)

      No storage device more advanced than a 3.5" FDD or an MFM HDD

      No USB of any type

      Removable (and removed) jumpers to disable writing to the BIOS storage and NVRAM

      Probably some other things I overlooked.

      That still won't keep people from installing root kits and other malware, but it might at least prevent putting them where they are effectively invisible and very difficult to remove.

  18. psychonaut

    design flaw?

    or

    dun dun dun......

    baked in spyware...

    let the conspiracies commence!

  19. Anonymous Coward
    Anonymous Coward

    More of an undocumented feature than flaw.

    Knowing what we know now about how active the U.S. government has been in the manufacturing of "flaws" in computers and networks and using all methods to get the cooperation of companies it takes a certain sheep like attitude to consider such design a forgotten flaw.

    Even more so if we look back to the paranoia and fear governments were openly expressing about the new technology and the assurances they were getting from various government agencies that the situation was under control and more funding would ensure it would stay that way.

    It might help those who can recall the past to keep in mind what we have learned since then and that the phrase "Trust Us" is used most often by those who should not be trusted.

    1. Solmyr ibn Wali Barad

      Re: More of an undocumented feature than flaw.

      In that case, why was it allowed to be fixed in Sandy Bridge? TPTB somehow got less malicious?

      1. JulieM Silver badge

        Re: More of an undocumented feature than flaw.

        I doubt that the Powers that Be got any less malicious. Less implausible is the idea that the NSA / GCHQ got word that their backdoor was about to be compromised, and had to abandon the technique for fear of embarrassment.

        Which raises the question ..... What did they replace it with? (Bear in mind that it would not be entirely unfeasible for a government agency to compromise a system recovery tool, that might be downloaded by a sysadmin for some emergency repair work. Do you make your own emergency boot disks? Or do you just download a well-known one as and when any problems may arise? Did you check the installation "scripts" carefully to be sure there were no statically-compiled binaries among them? Do you keep a recovery USB stick in a safe place at all times? Because someone who knows what's on that, and can persuade you to reach for it, as good as has physical access to your hardware.)

        Did any computer security types disappear in extreme sports accidents, or suffer nervous breakdowns, around that time? I can't believe they wouldn't have tried to silence the person who discovered the exploit anyway, even in spite of removing the flaw from future processors.

        Of course, it's even more probable that this was a simple design error with unintended consequences, and not put there deliberately. Although, we should not rule out the idea that the NSA / GCHQ ever made use of the technique while it existed. Illegally-obtained evidence has been used in the past to justify fishing expeditions for better evidence that would be admissible in court -- and provide plausible deniability for the Agencies.

  20. Grikath
    Devil

    Oh, the Paranoia!

    There's already some good ones here, but it seems to me the Tinfoil Hatters are beating their same old drums. Come on shiny-crinkly headwrappers, you can do better than this ?!!

    What changed significantly in 2011 that Intel changed stuff at this level?!! What is the new backdoor for [Bad Guy of your pet peeve]?!! Why would [omnipotent Agency X] not simply Disappear the knowledge of this feature, or is it a move to direct attention from something else?!! See? It's easy to come up with Stuff!

    On a more serious note for the peeps who know more about this than I'll ever need : Wouldn't you have to be pretty careful not to create bugs/artefacts in the operation of the hardware that would show in one way or another? This is pretty high-brow stuff, well outside of script-kiddie territory, it's not as if you have much room to work with to pull this off, and then do anything actually'"useful", after all.

  21. Stephen Leslie

    Why does the government fear private computers?

    Why do governments fear securable computers? What on earth can people do with computers that's so scary to them? I get terrorists might co-ordinate via email or cell phone .. but otherwise their fear seems overrated? And doesn't email meta-data alert them already? Why is it such a big deal to governments?

    1. Phil O'Sophical Silver badge

      Re: Why does the government fear private computers?

      Why is it such a big deal to governments?

      Ministers know how pencil & paper work, they aren't frightening. They haven't a clue how computers work, though, so they're scared shitless that they might be caught out not doing something, and hence lose votes.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why does the government fear private computers?

      Governments aren't scared of secured private computers. They don't vote (at least not in a paper based mandraulic voting system).

      No, what governments fear is the things that some seriously nasty people do with them. Things like child pornography, financial fraud, ddos blackmail, cryptolock extortion, etc. And that's before you start considering how they can be used to command and control terrorist acts or influence other vulnerable people in bad ways.

      What the likes of Google, Facebook, Apple, etc. are risking is being seen to have been in possession of vital information prior to a 9/11 style attack but to have not passed it on. Hopefully an attack of that scale never happens ever again. However, what would their reputation be like after such an event?

      1. Anonymous Coward
        Anonymous Coward

        Re: Why does the government fear private computers?

        On your point about using computers for child porn/plotting your reign of terror/ hiding your drug money/ swindling the guillible/blackmail etc all these things existed before computers were common place and you can bet the guilty took measures to hide/encrypt the data.

        your other points, DDOS, cryptoblock extortion have been made possible by the security holes left in so the authorites can "catch the baddies at it".

        Given that the "baddies" know that putting anything on a computer is a mistake and will not be doing it then wouldnt it be better if the rest of us weren't treated like criminals.

        Given that the criminals are using the authority's backdoors to invent new crimes and we no longer have any private life outside the home or even in the home if you have a camera on any internet enabled device. Then it makes you wonder who exactly the authorities are really targetting as a threat

        1. Anonymous Coward
          Anonymous Coward

          Re: Why does the government fear private computers?

          "On your point about using computers for child porn/plotting your reign of terror/ hiding your drug money/ swindling the guillible/blackmail etc all these things existed before computers were common place and you can bet the guilty took measures to hide/encrypt the data."

          All that certainly happened before, but now it's far too easy to do those things on a large scale and far too easy to get away with it.

          your other points, DDOS, cryptoblock extortion have been made possible by the security holes left in so the authorites can "catch the baddies at it".

          So you think that it's all some kind of super organised plot on behalf of the tech industry and all governments worldwide? You don't think it's just the result of flawed and lazy humans not bothering or simply making mistakes in their work / hobby? Jeez, who are those guys and what planet do they come from?

          "Given that the "baddies" know that putting anything on a computer is a mistake and will not be doing it then wouldnt it be better if the rest of us weren't treated like criminals."

          You're pretty naive, aren't you. A lot of baddies are also lazy idiots...

          Today's computers and networks are a problem. On the one hand we all want security, reliability fun and convenience. On the other hand there's too many well meaning but naive people creating networks and software that are more useful to baddies than goodies. They themselves rarely suffer the direct consequences of the abuse of their creation by criminals, blackmailers, fraudsters, shooters, paedophiles and terrorists. Which is great for them, not so great for those who do get robbed, conned, abused, shot, blown up or maimed.

          There is currently no good answer to this dilemma.

          1. Anonymous Coward
            Anonymous Coward

            Re: Why does the government fear private computers?

            Tell me someone we can trust who agrees with your points, by trust I mean not being paid to continue the existing situation which I would say clearly targets more innocents that criminals.

            I would say that yes there has historically been many intentional "errors" in code and hardware for the purposes of anticompetition, antiprivacy. Anyone who has been in IT since they allowed russia etc to buy computer equipment will know what I am talkign about

            Yes criminals can be just as stupid and niave as the rest of the sheeple however statistically there are less people using computers for nafarious reasons than otherwise and yet all are abused. The bot nets etc could not exist if the underlying OS and hardware were secure but clearly since they do exist the system builders are at fault.

            That the underlying IT systems are compromised for whatever reason means that by far the biggest loosers are the good guys who now have zero privacy, zero protection and zero chance of being put first for a change

            1. Cameron Colley

              Re: Why does the government fear private computers?

              Governments, well Western ones at least, don't fear private computers.

              They want to provide their chums in the computer hardware and software business with lucrative contracts selling to the "intelligence" services. The politicians want the board of directors jobs and kickbacks offered for drumming up business for their pals.

              Governments aren't about helping the people or the country they're about helping the members of the government make more money.

              Governments couldn't give a shit about terrorism, illegal drugs or child pornography. They want power and money.

    3. Anonymous Coward
      Anonymous Coward

      Re: Why does the government fear private computers?

      Not so much the securable computer per se, more as another item on the checklist (toolchain) for someone that will be likely to be a threat to governments, the people running them, and the wealthy that the government answer to at the end (if they want to remain in office). Look at what 9/11 resulted in? Massive loss of wealth even discounting the loss of lives among "the people that matter." Sony? Charlie Hebdo? How about that gang that the FBI is pulling down using pre-published financial news to get a jump in the financial markets. Now that one will probably have legs. Lots of legs!

      Now to be able to break into the systems the hackers depend on? Yeah, that pretty much hits the "Priceless" button with a sledgehammer. And any other technique that can be brought to bear, damn the cost. After all (not true but said anyway) we can pass that cost to the serfs.

    4. Anonymous Coward
      Anonymous Coward

      Re: Why does the government fear private computers?

      "Why does the government fear private computers?"

      Rapid mass communication for the plebs. We the plebs must not be allowed unfettered instantaneous communication. Even if you haven't imagined how unthinkably terrible a local "arab spring" would be for "the 1%" you can rest assured that they have... a long time ago... and multiple layers of robust "safeguards" are already in place.

      ...but apart from that obvious fear... it's also a somewhat broader and more innate opportunity... The great democracies have a long and proud tradition of doing all they can to monitor and subjugate their subjects. This is the very means by which they built and maintain that status as the "great democracies." It's a tradition stretching back unbroken to long before the little "democracies" slogan was concocted. Imagine for a moment how Queen Elizabeth's (no, the other one's) ministers would have felt and responded if a communications industry had fallen into their laps which, despite using opaque "magic box" apparatus which was far beyond the complete understanding of any of the plebs, was practically universally adopted by them. What would they have done with that? Of course, you'd not really be imagining anything. It just happens to have happened 400 or so years later. And why shouldn't they be doing what comes so naturally? What's to stop them?

      It's a "power" (control) thing.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why does the government fear private computers?

        @AC,

        "Rapid mass communication for the plebs. We the plebs must not be allowed unfettered instantaneous communication. Even if you haven't imagined how unthinkably terrible a local "arab spring" would be for "the 1%" you can rest assured that they have... a long time ago... and multiple layers of robust "safeguards" are already in place."

        What utter rot. Apart from the fact that we pretty much all have multiple means of instant communications, a local "Arab Spring" happens once every 5 years here in the UK, or 4 years if your an American. It's called an election, it's much better organised and it does actually result in a change of government if that's what people actually vote for. If a government hasn't done well enough it will lose the next election, as has frequently happened within your lifetime.

        "The great democracies have a long and proud tradition of doing all they can to monitor and subjugate their subjects."

        More commonly known as law enforcement, something that voters are generally very much in favour of at election time. Everyone voting generally wants criminals to be subjugated with maximum vigour. If you think otherwise, try standing as a candidate at the next election and see how far you get on an openly anti law enforcement billing. You'd be lucky to keep your deposit. A population gets the laws and government it votes for.

        "Imagine for a moment how Queen Elizabeth's (no, the other one's) ministers would have felt and responded if a communications industry had fallen into their laps which, despite using opaque "magic box" apparatus which was far beyond the complete understanding of any of the plebs, was practically universally adopted by them. What would they have done with that?"

        You've not heard of Francis Walsingham, or pen and paper?

      2. tom dial Silver badge

        Re: Why does the government fear private computers?

        Looking at Iraq, Syria, Bahrain, Yemen, Jordan, Egypt, Libya, and Tunisia to name a few, is it clear that we should want a local "arab spring"? Really?

        "Mulitiple layers of robust 'safeguards': for example? And under what plausible conditions would they likely be used?

        What subjugation would that be? For monitoring, aside from objections to wire sniffing that some might not describe as surveillance as long as it was limited to machine filtering, what outcomes exceed limits that a majority would think reasonable (limited to Europe/EEC, Five Eyes, South Korea, Japan for discussion purposes)?

        Governments are established to govern, and police are hired to enforce the laws. News articles notwithstanding, in the countries identified above, they usually do so without interfering excessively with the majority of the population. When they do, courts often will curtail the excesses, and those who object can try to persuade legislators to change the laws, or try to replace the legislators so as to try to change the laws from within. The fact that they may fail to do so may not mean they are corrupt or under control by the 1% or other enemy of the people; it may simply mean that the majority who elect the legislature and executive are not dissatisfied enough to vote for change. And like it or not, no established government, however legitimate, is going to put up with attempts to overthrow it by means outside the law.

    5. Hey Nonny Nonny Mouse

      Re: Why does the government fear private computers?

      It's not about 'terror' or 'drugs' or whatever the current whipping boy is this decade, it's about having control and the easiest way to keep control is to know what everyone is saying.

      As one man (or his speech writers) said 'You're either with us or against us' and having oversight on what your population thinks and says is one hell of a way to keep people on side and marginalise those who aren't.

  22. Zmodem

    fixing it made intel chips fast

    until sandy cores came along, AMD were always alot faster for over a decade

    1. Anonymous Coward
      Anonymous Coward

      Not sure why I bother

      Because you're regularly just plain wrong on many levels but....

      Here's a clue, CPU speed isn't worth jack unless you can get the data in and out of a chip as fast possible.

      Now go away and work out why Intel dominates the market where sustained I/O speed is important (and another clue for free, that's pretty much everywhere except where little boys toss off over benchmarks)

      1. Anonymous Coward
        Anonymous Coward

        Re: Not sure why I bother

        Actually until well into the '90 the PC just wasnt that fast compared to the alternatives of the time.

        High cpu and fpu applications typically used the alternatives because the intel archetechure just wasnt up to it.

        In actuallity MS and intel won out because of component prices, litigation from USPO patents and back room deals with government officials. With the profits they either bought up, crippled or outright destroyed their competition. Only recently have the better technologies like ARM been allowed a lookin and that was because the US lost control of their far east suppliers.

        intel stopped being an asset to computing after the 8080 and Microsoft were always greedy grabbers, the latters only input to this subject was their 4k interpreter and their subsequent demands for cash in an environment where coders were proud to give the fruit of their labours away.

        So no these companies did not win the home computing race by being the best system designers, they were given the prize by western governments who allowed their home grown products to be destroyed on the promise of dominion over the coming age of information.

        We were all sold out by the people we elected and we all voted for the removal of privacy and security furtheris still going on today.

  23. Where not exists

    Sales going up!

    Sounds like a good way for Intel to ramp up orders for new hardware.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sales going up!

      Quite.

      Obsolete anyway. So why not cash in on the marketing opportunity?

      MUST. GET. NEWER. HARDWARE.

  24. Anonymous Coward
    Anonymous Coward

    NSA controls ring -3 ? Peshaw...

    NSA controls the electrons! Entanglement processes run at the chip foundry by really creepy janitors means every quantum jump by an electron in a processor chip is mirrored at the sister chip in Ft Meade.

    Now that I've revealed that, my life is in grave dan

    1. This post has been deleted by its author

    2. Phil O'Sophical Silver badge

      Re: NSA controls ring -3 ? Peshaw...

      really creepy janitor

      The number one super guy?

      1. Anonymous Coward
        Anonymous Coward

        Re: NSA controls ring -3 ? Peshaw...

        Sounds like a load of old phooey..

  25. Anonymous Coward
    Anonymous Coward

    >This means the rootkit can, among other things, silently monitor and record the user's every keypress, mouse click, and download.

    So, it's not a flaw. It's actually a NSA/GCHQ backdoor.

  26. teknopaul Bronze badge

    data treated as code

    Most security bugs seem to stem from executing data as code. Can some knowledgeable reg reader explain to me why this cannot be resolved in hardware. Eg physical ram that is only ever treated as data and separate chips registers and caches for code. Is it infeasible for some performance reason? Not assuming current architectures, consider also a 128bit word, where one half is guaranteed to be data,or something else "thinking out of the box"

    1. Paul Shirley

      Re: data treated as code

      It's called the Harvard Architecture and it was designed to increase throughput to/from memory but does separate data from code. However we quite like to load programs into memory so they can be run, we like to JIT compile scripts and so on - so it could never offer any more security than write protecting pages in our Von Neumann machines.

      The reason they died out is probably the slight problem of where you put the extra pins on a microprocessor to access 2 separate memory systems. Nowadays we could just multiplex them but it makes more sense to treat it just gobble the extra bandwidth directly.

    2. Anonymous Coward
      Anonymous Coward

      Re: data treated as code

      There used to be computers with seperate data and code ram for secure systems but we dont have them anymore instead we have intel, windows and compiled rather than machine code operating systems.

      Basically security was abandoned in the lust for speed however now that hardware is so much cheaper we could return to secure computing if only we were allowed to.

    3. Phil O'Sophical Silver badge

      Re: data treated as code

      Can some knowledgeable reg reader explain to me why this cannot be resolved in hardware.

      It can to some degree. PDP-11's had separate I & D space, which in those days of 16- or 22-bit addressing also doubled the available memory space. IIRC there was a hardware signal which the processor used to indicate which memory it was accessing, so normal user programs could only read/write data memory, never Instruction memory. I'm fairly sure other microprocessors (some of the M68K family?) had similar options.

      I'm not sure it would necessarily solve the problem, though. The processor is still in the loop to get the code off the disk initially and into the I space so that it can be executed, so it has to have a way to write into the I space at some point. That is usually done by switcthing the processor into one of the privileged modes (the inner "rings" as described here) at which point I-space is writable. Since this hack relies on getting the processor into a privileged mode so that memory can be remapped you could probably bypass the protection.

      Or, of course, just not design buggy hardware :)

      1. Solmyr ibn Wali Barad

        Re: data treated as code

        "PDP-11's had separate I & D space"

        So did 8086. Code segment, data segment, stack segment, et al. In practice these pointers were often set at the same address, which kind of defeats the point.

        Later attempt was NX (non execute) bit from P4 onwards.

        1. Charles 9 Silver badge

          Re: data treated as code

          "So did 8086. Code segment, data segment, stack segment, et al. In practice these pointers were often set at the same address, which kind of defeats the point."

          In Real Mode, once memory cleared 16 bits, the code and data segments could and frequently did occupy different 64K segments of memory. About the only time the CS and DS were the same was in Tiny (.COM rather than .EXE) compiles meant to fit completely into a single 64K segment.

          Protected Mode meant 32-bit programming which meant access of up to 4GB of memory in an age where even 8 and eventually 256MB was considered high. This meant a flat memory model and that deprecated segments.

  27. Henry Wertz 1 Gold badge

    Not ironic

    "(ironic that NT & UNIX & OS/2 etc could use a 1995 Pentium Pro properly but Win95 went slower on it)."

    Not ironic at all. Intel assumed by the time the Pentium Pro shipped that contemporary OSes would be 32-bit (recall the PPro was under development for years before it shipped). So they made sure it ran 32-bit code very quickly, they made sure it *could* run 16-bit code but didn't worry about the speed of it. NT, UNIX, and OS/2 were full 32-bit OSes, Windows 95 was a shell over 16-bit DOS so it ran like crap on it. Intel was a bit pissed at Microsoft at the time for continuing to ship DOS shells instead of NT-based Windows exclusively. The Pentium2 actually ran 32-bit code *slower* than a Pentium Pro, it was just reworked to speed up 16-bit code.

    1. bazza Silver badge

      Re: Not ironic

      Alas there was quite a lot of 16 bit code lurking inside OS/2 :-( A lot of thunking was going on inside.

  28. Proud Father

    2 Rings

    The reason only 2 of the 4 rings are used is because of the Alpha build of NT.

    Alpha processors only had 2 rings so it was kept this way for code portability between CPU architectures.

  29. Anonymous Coward
    Unhappy

    Sigh...

    One workstation, one laptop, one all-in-one, and all those Android phones and tablets (a dozen of those). That's what's "safe" at least from this. Server (dual Xeon 5650s) and a bunch of Core 2 Duos and Quads (media/game servers and desktops) toast. Shit.

  30. Herby Silver badge

    Makes me wish for...

    Better processors that don't have little secrets hidden in them. I long for the days of a nice processor like the MC68060. Pity they didn't super-scalar it like other processors of the day. Would have been a nice processor to do business with.

    That's what I get for programming for over 50 years.

    The IBM 1620 was a wonderful machine to program.

  31. Ropewash
    FAIL

    NSA

    Wouldn't all the NSA machines with older Intel inside be equally at risk?

  32. Anonymous Coward
    Anonymous Coward

    Re. NSA

    Interesting. Maybe NASA using 8088's and suchlike was intentional because they suspected that newer chips might be vulnerable to things like this and related SEUs in the sub 1000nm transistors in subtle ways that error correction might miss. (think rowhammer)

    I have it on good authority that they also run the chips at a fraction (the exact number is still classified) of the clock rate and different on each chip within its spec on main and backup systems so that a fault can't propagate via subtle power surges etc.

    Its also intriguing to note that some of the new consumer level chips have active protection against power related instability and interference injection. Unused pins are now being joined to the Gnd plane rather than left floating so that this cuts off another avenue of attack.

    1. Measurer
      Holmes

      Re: Re. NSA

      Never leave an input floating! Either pull it to a defined voltage via a suitable resistor, or KNOW that internally its been done.

    2. Solmyr ibn Wali Barad

      Re: NASA

      More to do with charged particles dashing through the chips. Larger transistors at lower frequencies have much better radiation resistance. And differing frequencies can help to reduce interference, as you rightly noted.

      ECC (if done correctly) will not miss anything. Rowhammering needs several write cycles to flip a bit, but ECC logic has to compare checksums on every RAS/CAS cycle. If one bit is off, it can be corrected. If several bits are wrong - checkstop.

  33. Anonymous Coward
    Anonymous Coward

    Sooo....

    Baked in template code?

    I may have misunderstood the issue here (it's early and there's been no coffee yet) but doesn't that imply that template code is just code?

    As such it's going to be held in a EEPROM/Flash device somewhere on the afflicted motherboard and therefore will be reprogrammable? (most manufacturers don't fit programmed chips to their products, they program in situ via some means that requires no local CPU involvement, JTAG, SPI, I2C or even proprietory means so even on a compromised system it's possible).

    1. Anonymous Coward
      Anonymous Coward

      Re: Sooo....

      The fault lies within the cpu and to change code there requires a digitally signed/encrypted image to be loaded with your OS (intel just released an update of this type).

      unfortunately this function is not in the microcode andis at best due to an utter brainfart that allows unrestricted access to any memory location, this obviously makes the cpu based security useless and results in you having to buy a new cpu to fix it.

  34. Anonymous Coward
    Anonymous Coward

    Good strategy

    It sounds like an exellent long term strategy, win win for all. For all these years, this served as a backdoor for NSA. Now, an excellent way for making sales. Scare people to ditch old computers and buy new.

  35. Greycon

    Top class article, you write very well. Many thanks.

  36. Feldagast

    I think they just found a way to sell more CPU's, I didn't see anywhere if AMD is also suffering from this bug as well.

  37. Anonymous Coward
    Anonymous Coward

    Re. black helicopters

    A thought to consider.

    I suggest that the problems showing up in some CPUs might actually be related to the microcode, this is updated by the BIOS usually and rarely causes a problem.

    Some older LGA775 systems wouldn't even boot into DOS until this was fixed with an older CPU (typically this would be a P4 instead of a Celeron D/dual core/quad) and even the newer LGA-1066 have this annoying habit.

    Yes, indeed buggy microcode can do this BUT its an entire new vector for malware to exploit the BIOS to insert known bad commands during initial bootup which then sit there until triggered.

    The latest trend for malware is to *only* run using SSE3 or SIMD instructions so that nice new hexacore beast will be vulnerable but an older C2D won't unless emulating said instructions.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019