back to article 'WHAT THE F*CK IS GOING ON?' Linus Torvalds explodes at Intel spinning Spectre fix as a security feature

Intel's fix for Spectre variant 2 – the branch target injection design flaw affecting most of its processor chips – is not to fix it. Rather than preventing abuse of processor branch prediction by disabling the capability and incurring a performance hit, Chipzilla's future chips – at least for a few years until …

  1. Duncan Macdonald

    The bug is better than the buggy fix !!!

    Until Intel get their act together and release stable fixes, I have disabled Windows Update on my home systems (neither Meltdown or Spectre is much of a threat to a home user). It is in my opinion safer to use a slightly out of date Windows 10 installation than an unstable one. (Edge / IE are not a problem on my system as they are disabled with the Norton firewall denying them internet access so their myriad of bugs do not matter.)

    1. J. R. Hartley

      Re: The bug is better than the buggy fix !!!

      Windows 10 is the real vulnerability in your system.

      1. John Smith 19 Gold badge
        FAIL

        Translation "Any performance hit you take by setting this flag is on *you*"

        Well in line with US Corporate (Blame the victim for our incompetence) culture. *

        *More like what you find growing on cheese that's been in the fridge for a few months after its sell by date than artistic and social refinement.

        1. PaulFrederick

          Re: Translation "Any performance hit you take by setting this flag is on *you*"

          If they're so incompetent where were all of the competent ones for the past 20 years? That's a mighty long lunch break they were all on.

        2. Anonymous Coward
          Anonymous Coward

          Re: Translation "Any performance hit you take by setting this flag is on *you*"

          @ John Smith 19

          Exactly, Intel is hoping that by giving consumers a "choice" they'll mitigate their liability. Intel f@#$ed up and this is not a real fix. In fact, it may create problems for less technical users.

          This does make me wonder if the three letter agencies didn't request a "fix" like this whether they'd already been using this method to spy on people or just want to now.

        3. WhatsData2U
          Joke

          Re: Translation "Any performance hit you take by setting this flag is on *you*"

          Hmm... guess we can either wait for v9+ or a new design. Probably take about the same amount of time for either. While they dance, we wait.

    2. jonfr

      Re: The bug is better than the buggy fix !!!

      I have AMD and I had to install Windows 10 update kb4073290 to get windows 10 stable again. Since I am using Windows 10 Home I don't have the option of disabling the updates.

      My AMD computer was not in unbootable state but was showing signs of unstably with at least one random reboot. Random reboot should not happen under any circumstances.

      https://support.microsoft.com/en-us/help/4073290/unbootable-state-for-amd-devices-in-windows-10-version-1709

      1. eldakka

        Re: The bug is better than the buggy fix !!!

        > Since I am using Windows 10 Home I don't have the option of disabling the updates.

        Yes you do.

        There are registry keys that can be changed and services that can be disabled to accomplish this.

        There are even 3rd party programs, like ShutUp10, that give you a simple slider switch to disable/enable these features without having to go into the registry or services control panel.

      2. scrubber

        Re: The bug is better than the buggy fix !!!

        "I don't have the option of disabling the updates"

        Sure you do. Whitelist all the IP addresses you want ot use on the firewall and Microsoft can't get at your machine.

      3. RegGuy1 Silver badge

        Windows 10 Home doesn't have the option of disabling the updates

        Can't you add

        127.0.0.1 microsoft.com

        to your hosts file (windows has one buried somewhere)? That should fix it.

        1. Vince

          Re: Windows 10 Home doesn't have the option of disabling the updates

          "Can't you add..."

          (a) No, because that's not the host name used for Windows Update

          (b) No, because Windows has a hard coded list of locations including IP addresses to ensure malware can't so easily stop updates & to prevent hijacking that it uses as well as looking things up

      4. idontbyte

        Re: The bug is better than the buggy fix !!!

        'Random reboot should not happen under any circumstances.' - incorrect, unless you are using ECC registered memory then your computer is susceptible to data corruption from outside sources such as solar flares. Some articles have reported that with 4GB memory you are likely to have at least 1 bit error every 48 hours, whereas with ECC registered memory it's more like 2.7 million years.

        Random reboots can also be the result of poor code, especially drivers, though you would expect windows to highlight this in this case.

    3. Sitaram Chamarty

      Re: The bug is better than the buggy fix !!!

      > neither Meltdown or Spectre is much of a threat to a home user

      I hope you've updated your browser at least because Meltdown and/or Spectre can be used from Javascript. Firefox 57.0.4 should be safe; they've reduced the granularity of the high precision timers. Not quite a fix, but from a browser's standpoint that's really all they can do.

      No idea about Chrome, and even less about IE.

      1. PaulFrederick

        Re: The bug is better than the buggy fix !!!

        You hope they updated? Who do you think they are James Bond? Most of us have nothing on our systems but data anyone can access on the Internet anyways. It is not like you're going to get the launch codes out of my PC, that's for sure. For the processing power it'd take to gain any worthwhile data out of Spectre or Meltdown you might as well just mine for bitcoins. You'd be ahead of the game. At least with mining you know there's some value in it eventually. On my PC right now you'd just be reading this stupid comment I'm posting. Big whoop de do. Random cache data is low grade ore. It's not worth digging into. Not unless you're focused on a valuable target at least. Which most of us just aren't.

        1. werdsmith Silver badge

          Re: The bug is better than the buggy fix !!!

          @paulfederick

          Indeed you are correct.I'm avoiding these updates and there is nothing on my home PC of any interest anyway. Anyone wants to take a look, be my guest but you'll be bored after 5 minutes. And what is the likelihood of a successful Spectre attack by browser? Seriously, I'm not running a VM farm, I don't give a shit about this and any of my own personal kit.

          There will always be the prissy individuals that are frightened of everything and can't think for themselves though.

          1. Tom 7

            Re: The bug is better than the buggy fix !!!

            @werdsmith with that attitude you may well find there is something interesting on your home PC before too long.

          2. Ben Tasker

            Re: The bug is better than the buggy fix !!!

            > Indeed you are correct.I'm avoiding these updates and there is nothing on my home PC of any interest anyway.

            So you never, for example, do Internet Banking? Or send of any kind of identifying documentation?

            The odds of getting caught by it are very, very slim (at least at the moment), but it's very, very easy to underestimate the value of the stuff we actually use our machines for.

            Not updating because you think there's nothing of value on your machine is naive. Base your decision on an actual assessment of the risk vs the trade-offs, not on the perceived value of the data on your system,

            Just my 2p

            1. werdsmith Silver badge

              Re: The bug is better than the buggy fix !!!

              So you never, for example, do Internet Banking? Or send of any kind of identifying documentation?

              Nope.

              @Tom7 Nothing sinister has appeared on my PC in decades.

              Plenty of interesting stuff though, isn't that the point?

              1. IceC0ld

                Re: The bug is better than the buggy fix !!!

                So you never, for example, do Internet Banking? Or send of any kind of identifying documentation?

                Nope.

                @Tom7 Nothing sinister has appeared on my PC in decades.

                Plenty of interesting stuff though, isn't that the point?

                ==

                Mr Krebs says it best, YOU thinking your PC is not 'interesting' doesn't mean it isn't of interest

                https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

          3. Anonymous Coward
            Anonymous Coward

            Re: The bug is better than the buggy fix !!!

            At last! someone who never does internet banking nor has any interaction with any site that talks to any government or financial body at any time over the internet.

            I hope that you havnt browsed to any site that saves your credit card details. Amazon for example are really bad at doing that.

            Luckily for you, not doing that means that there is no chance that some future malware delivered from a botnet constructed of 2 year old unpatched home wifi routers abandoned by the manufacturer wont be able to use meltdown to grab the SSL keys and cookie details for your active Amazon connection, then instruct amazon via that authorised and established connection to add a new delivery address, change your password, issue wipe commands to any kindle fire tablet you have, deauthorise any other devices that may allow account recovery, grab details of any other connected accounts while at the same time ordering 1000's of (insert currency here) Amazon voucher codes/cards plus a new PC or two to be delivered to the newly added delivery address before thay get put on ebay or that dogdy amazon card site.

            Honestly. People using the internet to buy stuff and manage their accounts was allways a stupid idea. Luckily for you you dont need to patch your machine because you dont do that.

            1. ibmalone

              Re: The bug is better than the buggy fix !!!

              manufacturer wont be able to use meltdown to grab the SSL keys and cookie details for your active Amazon connection, then instruct amazon via that authorised and established connection to add a new delivery address

              This is actually one thing Amazon do not too badly. You cannot get your stored credit card details back off Amazon, and attempting to enter a new delivery address requires re-confirming your payment details. Of course, compromise the connection and you can pretend to be Amazon, requesting confirmation of payment details...

          4. Roo
            Windows

            Re: The bug is better than the buggy fix !!!

            "Seriously, I'm not running a VM farm, I don't give a shit about this and any of my own personal kit."

            I'm in the same boat as far as my desktop box goes, but I do give a bit of a shit because quite frankly having a machine go tits up on you costs time and effort to resolve... I have found that prevention is better than a cure - simply because it wastes less time.

        2. Wayland

          Re: The bug is better than the buggy fix !!!

          PaulF, Perhaps you don't use your computer for banking but most people do. A baddie does not need to access your whole computer just a few bytes when you're typing your banking passwords.

        3. Anonymous Coward
          Anonymous Coward

          Re: The bug is better than the buggy fix !!!

          "It's not worth digging into. Not unless you're focused on a valuable target at least. Which most of us just aren't."

          So you dont have any internet banking on your machine. Good. You also dont have any mortgage details or scans of ID documents. You also are not going to be editing a selfie with your bank card details visible at any time, I take it you are careful enough to not leave such cards lying on a surface where they may be photographed by accident.

          I also assume you have no kids that may be using a computer with a built in webcam?

          Everyone is a valuable target for someone. Just because you dont think of attacking someones PC for their data or CPU cycles dont think that someone you dont know and will never meet thinks the same as you. Of all the billions of humans out there someone will want your data or your PC, for money or whatnot. Sure they will prefer the easy targets. Dont be an easy target.

          Thanks to meltdown, unpatched you are basically running naked across the internet showing off all your SSL secret keys. Once someone catches a glimpse of your nude SSL secrets they can impersonate those sites. Once you think you are talking to facebook and not them I'm sure they will have plenty of nice little downloadable packages that they can give you.

          Ever heard of firesheep? It was a very usefull firefox plugin. It was quite popular amongs starbuck wifi users ;)

        4. collinsl Bronze badge

          Re: The bug is better than the buggy fix !!!

          00000000

          ^ US Launch codes inside the USA.

        5. Anonymous Coward
          Anonymous Coward

          Re: The bug is better than the buggy fix !!!

          On my PC right now you'd just be reading this stupid comment I'm posting.

          "Oooohhh look, someone is browsing Vocaloid Pr0n, let's get our hacker buddies in on this..."

      2. tim292stro

        Re: The bug is better than the buggy fix !!!

        "...

        >> neither Meltdown or Spectre is much of a threat to a home user

        > No idea about Chrome, and even less about IE.

        ..."

        Chrome 63 added a test feature one needs to turn on called Strict Site Isolation (https://support.google.com/chrome/answer/7623121?hl=en), and Chrome 64 is going to address Meltdown/Spectre formally for all users, a version which should be released any second now... (they said the 23rd of January, which I note is today).

      3. Michael Wojcik Silver badge

        Re: The bug is better than the buggy fix !!!

        Firefox 57.0.4 should be safe; they've reduced the granularity of the high precision timers

        Reducing the resolution of the high-precision timer, and disabling shared arrays, is mostly theater. There are many ways to get a sufficiently high-resolution timer in Javascript.

        Note that in the original Spectre paper, the authors didn't bother to use the Javascript high-precision timer, because it was already disabled in Chrome. Door closed, horse bolted.

        1. Anonymous Coward
          Anonymous Coward

          Re: Reducing the resolution of the high-precision timer

          "Reducing the resolution of the high-precision timer"

          Are you sure you mean what you've written?

          Resolution and precision are separate concepts, and accuracy is yet another.

          There are lots of places around the web where this distinction is discussed; go have a read and find a description that suits your needs (I'm not even going to try).

          Or try talking to someone who understands the technology of measurement, e.g. someone who understands what might be going on when a digital frequency meter says the mains frequency is 55.000645 Hz. It's about time.

          Are there any "security researchers" who even understand the distinction, let alone are capable of explaining why the distinction doesn't matter to their alleged "exploit"?

    4. bdg2

      Re: The bug is better than the buggy fix !!!

      My understanding is that Microsoft never got as far as including the buggy 8th January Intel microcode in a Windows update.

      1. Yet Another Anonymous coward Silver badge

        Re: The bug is better than the buggy fix !!!

        Wouldn't it be easier for the software to just set a bit to say whether it is evil or not?

        1. richardcox13
          Go

          Re: The bug is better than the buggy fix !!!

          > set a bit to say whether it is evil

          You'll be thinking of RFC 3514.

          A more general mechanism would make things easier. Where's that feature Linus?

      2. thondwe

        Re: The bug is better than the buggy fix !!!

        Updates for Microcode via Windows is for their hardware only - Surface etc. - they have rolled out the new code for those, but not sure they pushed them via Windows Update as yet.

        BTW, IE and Edge both been patched to mitigate against the bugs, Chrome needs site isolation enabled (this may be default soon). Firefox - don't know - don't use it.

    5. Mark 85

      Re: The bug is better than the buggy fix !!!

      Win 7, NoScript, IE, Chrome, Firefox plus Voodoo Shield and killed the MS patch after it bogged the crap out of the PC. Since I don't "surf" but only hit trusted sites I'm not to concerned. The better half, I left the patch in place (along with the same config as mine). She doesn't mind the "hang" and maybe it will help her out. But then, she surfs like crazy.

      I've got Linux ready to rock and roll once I can get one piece of software to work with it. Old software but I like it for work with a laser cutter.

      1. DuncanLarge Silver badge

        Re: The bug is better than the buggy fix !!!

        "I don't "surf" but only hit trusted sites"

        I thought "trusted" sites went out with the dodo. No site is trusted anymore, just more pouplar than others.

        How many times have I read of a trusted site dishing out a drive by download due to a SQL injection attack that succeeded a few hours before. Sorry but the only trusted site on the internet is the one that is not returning anything but a blank page.

        Unless your trusted sites are writen by yourself or your mates and are only accessible on an isolated intranet?

        1. onefang

          Re: The bug is better than the buggy fix !!!

          "Sorry but the only trusted site on the internet is the one that is not returning anything but a blank page."

          But what if it only looks blank, a clever ploy to disguise the malware?

    6. DuncanLarge Silver badge

      Re: The bug is better than the buggy fix !!!

      "(neither Meltdown or Spectre is much of a threat to a home user)"

      Er, meltdown is certainly a serious threat. It basically blows open your entire systems memory map to any bit of javascript (as an example) that your browser cares to load.

      You might as well run an unpacthed and unfirewaled version of windows XP and say you are just as secure.

      Install the meltdown patch just to keep your SSL connections secure. Spectre wont be patched by a windows update. You have to patch your BIOS so you can just patch meltdown.

    7. Multivac

      Re: The bug is better than the buggy fix !!!

      "Until Intel get their act together and release stable fixes" yeah I was in the same place in 2003, then I moved to Linux, glad to hear the last 15 years haven't been wasted hahahahahahahahahahahahahahahahahahahahahahahahahaha!

  2. wolfetone Silver badge
    Pint

    Good man Linus! Pint for you.

    You there Intel??? No beer for you.

    1. Anonymous Coward
      Anonymous Coward

      @wolfetone:

      "Good man Linus! Pint for you.

      You there Intel??? No beer for you"^H^H^H^H^H^H^H^H^H^H^H Your shout, we think.

      What's that you say, Intel? You left your wallet at the office? Along with your brains?

      There! Fixed that for you, @wolfetone. You're welcome.

      1. wolfetone Silver badge
        Pint

        @AC

        A pint for you!

    2. Brewster's Angle Grinder Silver badge

      "Let 'em have it Linus"

      Generally I'm not a fan of Linus's swear attitude. But in this case, Intel deserved everything they got.

      1. jake Silver badge

        Re: "Let 'em have it Linus"

        As usual, I think that Linus is exhibiting extreme tolerance.

        I'd have really lit into the fucking idiots.

        1. wallaby

          Re: "Let 'em have it Linus"

          "As usual, I think that Linus is exhibiting extreme tolerance."

          Tolerance !!!!!!!!!!!

          the man is a c**k

          1. Stoneshop
            Headmaster

            Re: "Let 'em have it Linus"

            the man is a c**k

            Cork? Could well be.

            I expect that if you throw him into a pool or river, he'll float.

            1. Nunyabiznes

              Re: "Let 'em have it Linus"

              "I expect that if you throw him into a pool or river, he'll float."

              He's a witch!

              1. Kabukiwookie

                Re: "Let 'em have it Linus"

                He's a witch!

                Or a duck.

            2. onefang

              Re: "Let 'em have it Linus"

              "Cork? Could well be.

              "I expect that if you throw him into a pool or river, he'll float."

              I forget, does that mean he is or isn't a witch?

              EDIT: pipped at the post by Nunyabiznes!

      2. Visual Echo
        Go

        Re: "Let 'em have it Linus"

        I am definitely a fan. How hard would it be for Linus to walk away from all of this and ignore the poison atmosphere and open up another beer? Somebody shouting like this cares a lot, and they're not passively going to let the hooting monkeys waving flaming tree branches in the front yard get away with poo-flinging shenanigans. I'm sorry but sometimes it does seem to me like threatening somebody's kids with a spanking is exactly what is needed.

  3. Doctor Syntax Silver badge

    I wonder if there's a compromise. Introduce another flag that shows it's not broken, as Linus put it but in the short term is toggled by Intel's boot time flag setting and in the longer term is permanently set to show that it's a properly fixed design.

    1. Dave K

      "I wonder if there's a compromise. Introduce another flag that shows it's not broken"

      Isn't that the same as a flag to say it's secure? This is what Linus is wanting - future CPUs to state "I'm fixed" so that the performance-sapping workarounds aren't applied. Intel on the other hand is wanting the security fix to be opt-in, which as Linus rightfully states as insane.

      1. Doctor Syntax Silver badge

        " Intel on the other hand is wanting the security fix to be opt-in, which as Linus rightfully states as insane."

        AFAICS Intel seem to be saying that, at least in the short term, their only option is a performance-draining one which they want to make opt-in. That doesn't preclude them having a better option in the long term, even if they have no present intention and are forced into it. A flag which says "I'm fixed" could mean fixed by having opted in on the immediate option but fixed by a redesign in the better, long term version.

        The boot-time, user-settable flag would be the choice of speed vs security. With a fixed design this would become a no-op because the user would have security and speed.

        The run-time, read-only flag would simply tell, if clear, that any mitigation needed would have to be in S/W. If set the S/W itself would have any indication of whether it was set as a user choice or by the redesign.

        This would only work if, speed issue apart, the microcode and hardware fixes were equivalent from the user point of view. Intel clearly aren't going to be able to deliver the full, no speed penalty fix that Linus - and the rest of us - want in the short term via microcode changes. If, however, they were able to deliver the "I'm fixed" flag that Linus asks for as part of the short term microcode fix then they'd be wise to listen to him. In the meantime Linus - and the rest of us - are going to have to live with what can be delivered in firmware changes to microcode.

        1. Dave K

          Having an "Opt-In" solution to security is potentially very dangerous. It should be the other way around - apply the security fix unless the user/application explicitly configures otherwise (being aware of the potential risks), or unless a processor flag confirms that the CPU is not vulnerable. I'm fine with the option being changeable, but Opt-In is very risky.

          Ulimtately, there should be three options - the CPU does have the "fixed" flag, so no performance sapping workarounds are used, the CPU does NOT have the "fixed" flag, so the performance sapping workaround is applied (by default), and thirdly the CPU does not have the "fixed" flag and the user has explicitly opted out of the workaround (at their own risk).

          Of course the issue here is that Intel are not only planning on a flag to show that their CPUs are fixed (via microcode), they're wanting kernel developers to then opt into the fix (such that it won't be applied by default).

        2. Michael Wojcik Silver badge

          Intel clearly aren't going to be able to deliver the full, no speed penalty fix that Linus - and the rest of us - want in the short term via microcode changes.

          You should say "Intel will not ever be able to deliver".

          All else being equal, you can't have the same speed without leaking information. You can disguise the penalty by increasing the speed elsewhere or by throwing more resources at the problem (as a degenerate example, consider a CPU that constantly loads millions of pages at random into an enormous cache to confuse cache-timing attacks). But the penalty is still there. Hiding information comes at a cost.

          It is impossible to do speculative execution without either leaking information or whitening it. And since speculative execution by definition enables faster processing than the same core without spec-ex (again, all else being equal), then you have to pay somewhere if you give up unsafe spec-ex.

          That doesn't mean I agree with Intel's decision, but there isn't any easy answer here. For me, sure, I'm happy to pay a performance penalty. But my job doesn't depend on getting most of my machine's rated performance. (In fact my own work machine has been running at a throttled speed for months, thanks to Dell's crap engineering. It hasn't bothered me enough to download the free utility that tweaks the firmware flags.) For some, a big performance hit is really bad news.

  4. frobnicate

    "neither Meltdown or Spectre is much of a threat to a home user"

    Spectre can be invoked by a javascript in your browser.

    1. Duncan Macdonald

      Re: "neither Meltdown or Spectre is much of a threat to a home user"

      NoScript makes this a low level threat. If I used Edge or IE it might be more of a threat but I do not.

      Also both Meltdown and Spectre are information disclosure bugs - on a reasonably set up home system there is not much sensitive data that can be extracted. (No banking credentials are stored on my PC - not even my PayPal login.)

      1. Tomato42

        Re: "neither Meltdown or Spectre is much of a threat to a home user"

        well, you run noscript, I run ublock, but my parents don't, I doubt your parents do to

        doesn't mean they don't use their computers for Internet banking...

        1. Alistair
          Windows

          Re: "neither Meltdown or Spectre is much of a threat to a home user"

          @Tomato

          I've rather educated my mother and my inlaws about basic computer security. Noscript, adblock+ (although I did have to deal with the rampant confusion when FF57 came down....)

      2. Sitaram Chamarty

        Re: "neither Meltdown or Spectre is much of a threat to a home user"

        If by "stored on my PC" you mean on disk, that's not relevant. If you've logged on to paypal or your bank in one tab, and to a dodgy site in another, it would be possible to extract those creds, in theory.

        Even if you logged out, and *then* went to the dodgy site, if the browser didn't zero out the locations where it kept your password in memory, something could be extracted.

        I'm not saying it's easy or practical but as they say, "attacks only get better".

      3. peterjames

        Re: "neither Meltdown or Spectre is much of a threat to a home user"

        Banking creds might not be stored there - but your system creds always are.

        Once those are disclosed it is no longer your system, except physically.

        Unless you want to assume none of those - or any unpublished variants - can read kernel memory.

      4. Wayland

        Re: "neither Meltdown or Spectre is much of a threat to a home user"

        If scripts don't run on your browser then a lot of websites won't work properly. OK so perhaps you could live with that but until it's widespread that scripts don't work then websites will continue to require them.

      5. DuncanLarge Silver badge

        Re: "neither Meltdown or Spectre is much of a threat to a home user"

        "Also both Meltdown and Spectre are information disclosure bugs - on a reasonably set up home system there is not much sensitive data that can be extracted. (No banking credentials are stored on my PC - not even my PayPal login.)"

        The information is stored in the ram. Has nothing to do with files.

        If you type in any password or other sensitive data and dont turn your PC off and on again then that data is what meltdown and spectre have access to.

        When you browse to a site that uses HTTPS, that sites secret keys that it set up just for your connection can be sniffed out by these attacks. Once the keys are known, your connection is basically unencrypted to anything that is watching and talking to home base, whether it is in a browser tab or malware that was installed on your pc by your kid sticking in a USB flash drive they found on the floor at school. They will see your credit card number as it travels over the internet, in plain sight.

    2. whhaaatt

      Re: "neither Meltdown or Spectre is much of a threat to a home user"

      Yep you got that right, but you are still a dumbass.

      You see it all exists in a cloud, and unless you are a blo much smarter than I you are there too.

      Linus has had to set back a distro because of this, not the first one and probably not the last. But I have been in the argument where it is it a software problem or a hardware problem with talking heads before and it is pretty clear at this point that it is a hardware problem that is fucking up a software guys life.

      So take your gadgets and go home.

  5. CliveS
    Mushroom

    The right time - for a change

    An occasion when Linus' expletive laden tirade is more than appropriate. In fact Intel's approach and attitude deserve a Jay (of Jay & Silent Bob fame) f*ck laden tirade. Once might even wonder if Linus is mellowing...

    1. Tomato42

      Re: The right time - for a change

      certainly not the first one and likely not the last - his unload on nVidia was well deserved too

    2. Dan 55 Silver badge

      Re: The right time - for a change

      It's only what anyone technical wants to say, but as he's not beholden to a corporation run by marketing and sales he can say it.

    3. Anonymous Coward
      Anonymous Coward

      Re: The right time - for a change

      "Once might even wonder if Linus is mellowing..."

      Wearying, perhaps. He's seen so much horrible incompetence and cynical money-grubbing.

    4. Chronos

      Re: The right time - for a change

      When Linus is swearing and waving his arms around you pretty much know everything is normal. When he goes all professional with only the occasional sweary, that is a danger sign. It means someone is in deep shit - Intel, in this case, although let's not forget almost everyone else using speculative execution is potentially vulnerable to this. Even MIPS has a couple of P series cores that may be affected.

  6. Anonymous Coward
    Anonymous Coward

    Go on Linus you sock it to 'em with those Finnish martial arts*

    *It's a bit like a Glasgow kiss but you are wearing reindeer antlers.

    1. Youngone Silver badge

      You may have misspelled "Marital Arts".

      1. Anonymous Coward
        Anonymous Coward

        You may have misspelled "Marital Aids".

        1. Mephistro

          Hmmm... martial arts using marital aids...

          Sounds interesting.

          Tomorrow morning I'll register the names "ButtPlugchaku" and "Vibra-jitsu", just in case. 8^)

          1. Teiwaz

            Tomorrow morning I'll register the names "ButtPlugchaku"

            ButtPlugchaku

            Sorry, not as catchy as Pikachu, I don't see your version selling....

            1. hplasm
              Coat

              ButtPlugchaku??

              You know what you can go and do with that!

              1. wallaby

                Re: ButtPlugchaku??

                I know what Linus can do with it - go f*** himself as far as I'm concerned

                c**k

    2. Anonymous Coward
      Anonymous Coward

      "*It's a bit like a Glasgow kiss but you are wearing reindeer antlers."

      If these all mighty corporations don't back off their arrogant attitudes they may one day find themselves with a self administered Glasgow smile.

  7. Tom Chiverton 1

    Real excitement is where they mention RET is busted too.

    That's new.

    Probably embargoed vulnerability they are trying to address without saying so explicitly ?

    1. Tom Chiverton 1

      http://lkml.iu.edu/hypermail/linux/kernel/1801.2/05282.html

      "Then there's Skylake, and that generation of CPU cores. For complicated reasons they actually end up being vulnerable not just on indirect branches, but also on a 'ret' in some circumstances (such as 16+ CALLs in a deep chain)."

  8. Anonymous Coward
    Anonymous Coward

    All AMD needs to do to get back on top is wait until Intel fecks up first.

  9. goldcd

    I'm just waiting for this to be re-branded

    as "performance mode" when the fix isn't applied.

    1. Destroy All Monsters Silver badge
      Windows

      Re: I'm just waiting for this to be re-branded

      Hey yes, bring back the big beige LED-adorned TURBO-33MHz buttons.

      And BYTE magazine, too.

      1. Yet Another Anonymous coward Silver badge

        Re: I'm just waiting for this to be re-branded

        So the chip selects a different algorithm when running benchmarks compared to real on-the-road code? That rings a bell

      2. fobobob

        Re: I'm just waiting for this to be re-branded

        Would've been amusing if those had survived into the 200+ MHz era, as they could've been reprogrammed (dumb jumper-configured leds) to spell out 3 letter words. Sadly, I don't recall ever seeing any with a fully featured left digit.

        1. Stoneshop
          Headmaster

          Re: I'm just waiting for this to be re-branded

          Sadly, I don't recall ever seeing any with a fully featured left digit.

          IOt fits, and should rightfully be considered a three-letter word.

    2. Anonymous Coward
      Anonymous Coward

      Re: I'm just waiting for this to be re-branded

      RE:"performance mode"

      Careful...Intel's marketeers probably read industry forums for new and exciting ideas...

      1. JimmyPage Silver badge
        Stop

        re .Intel's marketeers probably read industry forums

        Last year, on one episode of the News Quiz, Simon Evans noted that when people are in hospital, they are leaving a perfectly good bed at home, which he proposed the NHS use to accommodate patients. This was followed by a joke about Uber ambulances to do the transport.

        At the end, Jeremy Hardy quietly said that he hoped politicians weren't using topical news quizes for policies.

        A month later, we had the announcement from Essex Health Trust about people "AirBnB ing" beds for patients.

  10. Drunken

    Why are the patches so late?

    Microsoft, Intel, AMD etc have known about these bugs since June 2017 if not earlier. Yet Intel cannot release a full BIOS fix that doesn't crash some of its CPUs. Microsoft patch crashed older AMD CPU and Microsoft has not even patched Windows Server 2012 (non R2) yet. While the MS Windows 32 bit OSs do not have a Meltdown fix yet.

    What have they being doing for 6 months?

    1. bazza Silver badge

      Re: Why are the patches so late?

      Writing microcode isn't the easiest of jobs I imagine... I can see that under normal circumstances it might take quite a long time to develop.

      Also the kernel changes are pretty significant. AFAIK the Linux kernel patches were already in the can, but only because someone else had thought such an architectural change might be a good idea.

      1. coconuthead

        Re: difficulty of microcode (Why are the patches so late?)

        I'm ancient enough to have written microcode as part of an undergraduate degree, and, actually, it isn't particularly difficult. You just need to remember that things happen in parallel, and results appear several cycles later, a bit like asynchronous programming in Javascript. The Intel architecture will have many more registers and internal structures than the HP2100A we used, but the principle is the same. And, since Intel's instruction set architecture is so baroque, writing microcode might be a more pleasant experience.

        It might be true that there are multiple microcode architectures for the various chip familiies, which would mean the job would need to be done muliple times. but probably all the server-class chips do use the same one. Even if not, it could be done by different engineers, so it should not affect the elapsed time.

        1. Doctor Syntax Silver badge

          Re: difficulty of microcode (Why are the patches so late?)

          "Even if not, it could be done by different engineers, so it should not affect the elapsed time."

          Providing they have enough microcoding engineers to do it.

    2. Ole Juul

      Re: Why are the patches so late?

      "What have they being doing for 6 months?"

      Discussing the path of least liability.

      1. Chris Collins 1

        Re: Why are the patches so late?

        Sounds about right.

        Some of my employers, will work something like this.

        Idea with 2 month deadline.

        Weeks 1-6 discuss what they going to do.

        Week 7 get the resources.

        Week 8 give me the work to do telling me I have a week to get it all done as its urgent, yet they took their sweet time for several weeks before hand.

        This is a passive example, I have literally had projects handed to me with a 48 hour dead line where they have known about the plans for 6 months.

    3. Voland's right hand Silver badge

      Re: Why are the patches so late?

      What have they being doing for 6 months?

      Managerial "performance degrading fix" tennis. Very popular game in high tech companies.

      The engineering team serves a fix, but instead of it being an ace and reflected on the scoreboard straight away, it is skilfully returned by management for further work because it clusterfucks performance so bad that the company is bound to be sued.

      This game usually starts slowly with the ball leisurely passing from one half of the court into the other. It gains frenetic pace towards the end when it starts to look more like Nadal vs Federer with the final point being scored as a result of an ERROR by one of the players. With the corresponding quality level in the released fix.

      We see that all the time - software, hardware, even automotive. The fix which ends up being released should have never left the building.

    4. onefang

      Re: Why are the patches so late?

      "What have they being doing for 6 months?"

      Designing the logos for the bugs and running them past focus groups. That's way more important than doing anything technical, just ask any marketdroid.

    5. Ken Hagan Gold badge

      Re: Why are the patches so late?

      "What have they being doing for 6 months?"

      One group will have been figuring out how to change the design of the next generation of chips, which you might see in the shops by Christmas, to avoid the problem. A second group will have been figuring out whether the facilities accessible to *existing* microcode are sufficient to allow a patch, at any performance cost. (Based on the flakiness of the patches so far the answer appears to be "possibly not".) A third group, I hope, will have been trying to think of related attacks that get around whatever strategems the first two groups come up with.

      Given the nature of the attacks, I think it is very naive for anyone to assume that a complete patch is actually possible. If Intel *have* internal switches to, for example, turn off speculation then that is both fortunate and frankly rather surprising. (What were they for?)

      1. Nick Ryan Silver badge

        Re: Why are the patches so late?

        If Intel *have* internal switches to, for example, turn off speculation then that is both fortunate and frankly rather surprising. (What were they for?)

        I'd imagine for testing purposes. As in run an exhaustive set of tests with speculative execution on and with it off and the end results, not the timing, must be identical. If not then the caching is interfering with execution.

        Unfortunately in this case, it's the timing that is important (for the exploit)... but that's a different test.

      2. grumpy-old-person

        Re: Why are the patches so late?

        Not quite 50 years ago I worked on a range of mainframes where the bottom machine in the range had loops in the microcode to make it slower, and therefore cheaper, than the next model in the series!

        So "switches" may actually exist in the Intel microcode for some purpose/s of which we are unaware.

        Get out the tin foil hats - thay may actually be required!

  11. Anonymous Coward
    Anonymous Coward

    higher than expected reboots

    I love the weasel words "higher than expected reboots". I was sorta kinda hoping for "none at all" -- how many were Intel expecting?

    1. Sirmike_

      Re: higher than expected reboots

      Real world? One for sure maybe three. But all that would or should be for planned maintenance. Then it doesn’t matter how many because you have migrated the whateveritis to run elsewhere.

      1. teknopaul

        Re: higher than expected reboots

        You miss the point, "reboots" is Intel marketing bullshit for "crash the whole system but we didn't actually brick the hardware and it can be restarted".

    2. Dan 55 Silver badge

      Re: higher than expected reboots

      What ever it is, it's "by design".

    3. Anonymous Coward
      Anonymous Coward

      Re: higher than expected reboots

      You couldn't imagine how high I'd like to boot those chumps at Intel.

    4. Dr.Sommer

      Re: higher than expected reboots

      maybe the idea behind this "higher than .." is the observation that 'higher' is usual seen as better.

      So some alternative formulations?

      And first things first please.

      Here is mine:

      "crash-rate increased"

  12. HereIAmJH

    Turbo button

    Now we just need an 80's computer case with a turbo button. Need reliability, turn on security. Feeling frisky, Turbo all the way. And like the 80s, anyone one want to guess what state most computers will be running in?

  13. tim292stro

    I Remember When...

    "It's a feature not a bug" was a quiet joke among engineering groups in tech... not a serious product marketing plan that made it into the "wild". Those were the days right?

    Still waiting for AMD, Microsoft, Apple, and Linux to announce that they are discontinuing x86 development - someone else is going to have to put them out of their own misery, Intel's people aren't smart enough to fix this themselves (either through inability or lack of vision), and wow are they a boat anchor on the entire industry...

    1. Dazed and Confused

      Re: I Remember When...

      > Still waiting for AMD, Microsoft, Apple, and Linux to announce that they are discontinuing x86 development

      This isn't an x86 problem, its affecting other CPU architectures too. Aren't Sparc and IBM's Power chips also suffering, some ARM CPUs are.

      Intel have a chip which isn't, apparently, affected. But it's illegal to say nice things about Itanium here at El'Reg.

      1. Stoneshop
        Flame

        Re: I Remember When...

        But it's illegal to say nice things about Itanium here at El'Reg.

        It's a very nice space heater that surprisingly offers a few compute capabilities.

        1. Anonymous Coward
          Anonymous Coward

          Re: I Remember When...

          "It's a very nice space heater that surprisingly offers a few compute capabilities."

          CAN YOU SAY THAT AGAIN LOUDER PLEASE?

          I CAN'T HEAR YOU, MY NEXT DOOR NEIGHBOR'S RX2620 IS POWERED UP.

      2. tim292stro

        Re: I Remember When...

        "...

        >> Still waiting for AMD, Microsoft, Apple, and Linux to announce that they are

        >> discontinuing x86 development

        > This isn't an x86 problem, its affecting other CPU architectures too. Aren't

        > Sparc and IBM's Power chips also suffering, some ARM CPUs are

        ..."

        Correcting: "it's not an x86 problem" ONLY. My point is the x86 architecture is still around because after Intel got clobbered trying to release Itanium before the software industry was ready adapt their software to new architectures - they learned that legacy compatibility is a "YUGE" selling point (I'm mean it's going to be big, beautiful - the best!), and basically have stuck with that at the exclusion of all else. If I've understood the entire Core series at all, it's not actually x86 anymore anyway - the "microcode" everyone talks about is the low level emulator software they run on a much more flexible hardware layer to look and act like an x86/amd64 processor. This is one of the reasons they don't like getting rid of ME, as it's effectively guarding the crown jewels of the actual hardware layer.

        I'm not saying Itanium was necessarily a bad architecture either - just very poorly executed when brought to market by Intel management.

        Nowadays, we don't expect software that's compiled for say x86 to run on ARM, but the base code and functionality will work when compiled "just in time" (install-time or run-time). Linux is a great obvious example of this, Perl, Python, etc... After IBM pulled the PowerPC rug out from under Apple, the market got a taste of a large seemingly unkillable staple of the tech industry suddenly disappearing - so that had a different effect than simply introducing a new arch.

        The difference went from "Why a new standard/arch when it works now?" to "Oh Snap!! We need to move to a new standard/arch or we'll have to close the doors!!!"

        I'd like to see a vendor like AMD take on a RISC-V processor design since they own graphics IP (one of the sorely missing things on RISC-V CPUs). They are already huge on "Open Source Standards", and if I can be a bit facetious, they love to half a*se their documentation and let the community figure out what they did (or meant to do) and write the software by themselves without any useful support...

        At this point in semiconductor history, I just don't believe a single company can employ enough people to design a CPU architecture well, or catch all of the design flaws in their ISA. AMD hitching their wagon to a horse like RISC-V, which has been looked at and worked on for years and years by some of the best minds in academia and tech, would be a no-brainer IMHO.

    2. Tomato42

      Re: I Remember When...

      oh, Intel engineers are definitely smart enough to fix it, but it's hard to think clearly when the vultures, *ekhm*, lawyers are dictating your responses to ensure the lowest possible liability to Intel

      1. tim292stro

        Re: I Remember When...

        > "...lawyers are dictating your responses to ensure the lowest possible liability to Intel..."

        This. I'm absolutely certain this is what's happening, and I'm sure there are a lot of big Intel customers who are thinking the same thing who are not happy with Intel planning on the service providers or end-users holding the bag for their sins.

    3. Martin Gregorie

      Re: I Remember When...

      "It's a feature not a bug" was more usually rephrased as "A feature is a documented bug" and the fix was to rewrite the relevant manual pages. This was a commonly heard phrase back when the mainframe was king in both IBM and ICL programming teams.

      I've personally been there and reported one of these bugs: the ICL 2900 IDMSX database had an error in handling ordered sets containing more than one record type. These were linked by key within record type instead of, as the manual said, in key sequence regardless of record type. We raised a bug and waited.... Eventually a new IDMSX release appeared in which the only change was to the manual page. We were not amused.

  14. bazza Silver badge

    There do seems to be some signs of desparation eminating from Intel at the moment. This kind of fault is a real, real danger to the commercial health of a company such as Intel. They're going to need a new or modified core design pretty damn soon.

    Intel are fortunate that AMD's chips aren't completely SPECTRE proof, which is muddying the waters somewhat. Can you imagine what would be happening if AMD's chips weren't affected at all? Intel would be struggling to sell a single chip at the moment.

    1. Anonymous Coward
      Anonymous Coward

      Dell would be struggling to sell a single system at the moment.

      "Intel would be struggling to sell a single chip at the moment."

      How are Dell doing at the moment? Presumably system sales aren't what they might have hoped for this time of year?

    2. Warm Braw

      what would be happening if AMD's chips weren't affected

      In one of the many posts there have been on various forums, I saw a suggestion that the only reason that AMD is not vulnerable to Meltdown is that Intel patents prevented AMD from using those particular techniques. I don't know how accurate that is, but I'd be surprised if AMD's apparent prescience is simply a matter of great foresight.

    3. Anonymous Coward
      Anonymous Coward

      Update latest AMD Ryzen CPUs

      AMD announced that applied a Microcode update to their Ryzen CPUs to fix the Spectre vulnaribilities.

      The reason Intel is probably having such a hard time fixing Meltdown/Spectre is that having been alerted to Meltdown/Spectre they investigated and found other problems not found by Google and are quietly trying to address these using the Spectre fix as a cover.

  15. stever320

    Mr T is oh so good

    Linus T has never written any bad code it would seem by his silly tirade. If this was such a terrible blunder by Intel why did he not spot it years ago?

    Anyone would be forgiven for thinking Linux was 100% secure.

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: Mr T is oh so good

      Hey Stevie. Can you confirm that the sun is shining down in Santa Clara?

      Also, In that undated photo, Linus seems ready to have Polonium Sushi delivered to the Intel marketing department. Maybe he can appear in a Bond movie?

      1. PaulFrederick

        Re: Mr T is oh so good

        Linus's fictional hacker brother Axl was already portrayed in the movie Swordfish. But he unfortunately met an untimely end. http://www.imdb.com/title/tt0244244/characters/nm0553020?ref_=tt_cl_t8

      2. David Roberts
        Trollface

        Re: Mr T is oh so good - Polonium sushi

        Given recent reports from other news outlets, sushi on its own is enough.

        Unless you are enthused by the prospect of keeping a tapeworm as a pet.

    2. JohnFen

      Re: Mr T is oh so good

      Linus isn't berating Intel for the underlying problem. He's berating them because they're being so bullshitty about it.

    3. Dan 55 Silver badge

      Re: Mr T is oh so good

      Does Linus make CPUs?

      1. hplasm
        Devil

        Re: Mr T is oh so good

        "Does Linus make CPUs?"

        Does Intel? Strictly speaking?

        1. JohnFen

          Re: Mr T is oh so good

          The time I've spent in one of their manufacturing plants watching them being made tells me that yes, Intel makes CPUs.

      2. katrinab Silver badge

        Re: Mr T is oh so good

        "Does Linus make CPUs?"

        Not any more, but he used to work at Transmeta.

      3. JohnFen

        Re: Mr T is oh so good

        "Does Linus make CPUs?"

        How does the answer to this matter in any way?

    4. Adam 1

      time to take stock

      I'm sorry but when a Torvalds rant comes across as a reasonable response to your baffoonary, it is probably time to take stock, admit there's a problem and start methodically working towards a sensible solution.

  16. LeeH

    Speculative but maybe workable fix

    Could this be fixed in some cases by putting an auxiliary piece of hardware into the CPU slot such that the auxiliary sits between the CPU and the slot then either the CPU instructed to reroute requests away from the vulnerable part of the CPU toward the auxiliary hardware so it can perform the vulnerable parts task for it or the auxiliary part used to filter out malicious code before it reaches to the CPU?

    My thinking is that this might allow more efficient processing than a software fix or buggy update to the CPU, and might be less costly than CPU replacement.

    1. Lysenko

      Re: Speculative but maybe workable fix

      The answer to this is "no" on so many levels I strongly suspect (hope) the question/suggestion is satire.

      In the event that I'm wrong, the whole problem in on-die. You can't re-route it out of the chip packaging. Etched CPU tracks are not veroboard. Then there's timing, capacitance, and ... well, it's an instance of this.

      1. LeeH

        Re: Speculative but maybe workable fix

        Nice. So, without being a dick about it, can you briefly explain how the CPU firmware flash does not reprogram the CPU in anyway and then supply a brief schematic to show that the buggy part of the CPU is not bi-passable and therefore not replaceable by a middleman component that sits between the CPU and the CPU slot, whether given an additional power supply or not.

        I only ask because I have minuscule knowledge of the CPU architecture with regard to the programmable and non-reprogrammable h/w elements, their proximities to one 'n' other, how they interact with one 'n' other and how the CPU interfaces with the motherboard. Be nice to expand my surface knowledge. You seem like the right person to ask, being all rude, arrogant and dismissive and all. You have that man-in-the-know-I'm-too-good-for-this-question vibe about you. Could you come down a little lower and provide a quickly readable, easily digestible explanation for lower mortals like myself. Pretty please. I would like to enhance the beauty of my fractal, if you think that's possible.

        1. jake Silver badge

          Re: Speculative but maybe workable fix

          Lee, are you suggesting an ElReg commentard should be required to give you a 3 part, 12 unit advanced university course in modern CPU design and implementation for free? Because that's what it sounds like ...

        2. David Roberts
          Coat

          Re: Speculative but maybe workable fix

          Umm.....how about the problem is between the bedroom and the bathroom so tinkering with the front door lock isn't going to fix it?

          Also, requiring you to go out through the front door into the street to ask permission to come back in to use the bathroom isn't going to speed things up if you are desperate for a dump?

          O.K. On my way.

          The one with the copy of bad analogies in the pocket ->

          1. Bronek Kozicki

            Re: Speculative but maybe workable fix

            @David Roberts - it is a perfectly good analogy, for a non-technical person like Lee has proven himself to be.

        3. Baldrickk

          Re: Speculative but maybe workable fix

          Imagine a room filled with abacuses, and one or more people to use them.

          That's your processor.

          There is an interface to the processor, which we will imagine as a series of pipes that you can pass messages down to the people in the processor room.

          (yes, this is a very loose analogy)

          The Spectre and Meltdown flaws are, in this analogy, flaws in how the people in the room use the abacuses.

          Your proposed solution is to insert something into the pipes, to do... what exactly? The people in the room only respond to specific messages that are passed, so you can't go changing them, or stopping them, or...

        4. Missing Semicolon Silver badge
          Boffin

          Re: Speculative but maybe workable fix

          Ok, a quick explanation.

          The actual CPU on the die is running much faster than the (comparatively) slow operations on the external pins. The pins are running at 100's of MHz, but the CPU core runs at 2-3GHz. The CPU deals with the cache memory, and the cache manager is actually connected to the pins, fetching and flushing as needed.

          All this means that the actual, current state of the CPU core is not reflected on the external pins at all. Only source data and (much later) results are visible.

          1. LeeH

            Re: Speculative but maybe workable fix

            Thank you. I appreciate your explanation.

        5. Anonymous Coward
          Anonymous Coward

          Re: Speculative but maybe workable fix

          > can you briefly explain how ... [snip]

          No need as there's a much simpler fix: Intel currently offer a range of CPUs at different clock speeds. All they have to do is offer the faster processor models at the lower price of the slower ones to compensate for the loss of performance introduced by the fix they are currently trying so hard not to roll out.

          And then they simply need to refund the price difference between fast and slow processor costs to everyone who bought an Intel CPU, or a PC containing an Intel CPU, in the last 10 years or so.

  17. Destroy All Monsters Silver badge
    Windows

    Intel's approach is backwards, making the fix opt-in. Processors can, when asked, reveal to the kernel that Spectre countermeasures are present but disabled by default, and these therefore need to be enabled by the operating system. Presumably, this is because the performance hit is potentially too annoying, or because Intel doesn't want to appear to admit there is a catastrophic security blunder in its blueprints.

    Or maybe someone wants the countermeasures to STAY disabled by default? Nah, can't be. Now, if Microsoft announces that this will be supported by a special patch that must be manually downloaded from a hidden URL, then....

    Anyway, this may apply: Saturday Night Live: FIX IT!

    1. Martin Gregorie

      Or maybe someone wants the countermeasures to STAY disabled by default? .... and maybe that somebody told Intel and AMD to build that flaw into the silicon in the first place?

  18. BobC

    Why we need faster MEMORY!

    Our deep, many-layered memory architectures and the presence of branch prediction and speculative execution on modern processors is simply because the CPU can be idle over 50% of the time just waiting for work to do while other work is being completed. CPU cycles have become staggeringly efficient primarily due to the deep and wide processor pipelines in current architectures.

    The central problem is that transistors used for storage (cache and RAM) are far more "expensive" than transistors used for logic. A billion transistors can give you a whopping CPU, but not really all that much fast storage. This is why additional RAM architectures are needed, ones that use fewer transistors and take up less space while yielding CPU-level speeds.

    If all of RAM could somehow be accessed at the speed of a register and at the cost of a spinning disk, then all CPUs would instantly become vastly simpler. That was the inspiration for RISC, when CISC processors failed to keep memory buses saturated at a time when transistors were still quite expensive; Cache made more sense than logic.

    This is also a motivation for moving processors into the RAM itself, rather than hanging ever more memory onto ever more complex buses connected to many-core/many-thread CPUs. Why not put cores right in the middle of every DRAM chip? That one change would greatly reduce off-chip accesses, the major cause of speed loss. Let the DRAM be dual-ported, with one interface optimized for CPU access, and the other optimized for streaming to/from storage and other peripherals.

    This yet another problem illustrating just how much trouble we still have building things this complex.

    It's time to "add simplicity".

    Death to the North Bridge!

    1. peterjames

      Re: Why we need faster MEMORY!

      But the problem architecture here is Von Neumann, back from 1945 - it'd be hard to be any simpler than that.

      What is needed is a proper hardware separation between kernel memory (and possibly the CPU) and user-space - so a more complex architecture. But that also means rewrite of all OSes and software out there.

      Bit more complex than Shakespeare for those monkeys I'm afraid.

      1. This post has been deleted by its author

    2. Just A Quick Comment

      Re: Why we need faster MEMORY!

      A nice idea, but what happens if we get a bug like this in the DRAM processor? Hopefully this DRAM/CPU hybrid would be as cheap as chips and being socketed it would be easy to update/replace.

      Also, what CPU architecture would you use in the DRAM CPU? Something based on a current chip or some wonderful new architecture? Oh the design teams would have fun - a completely new design blank sheet! Then there's the design time, followed by the debugging time, and the bugs discovered after releasing the new wonder CPU. Me cynical? Nah...

      1. Richard 12 Silver badge

        Re: Why we need faster MEMORY!

        Memory coherency across the really slow DRAM buses sounds like an even more fun game than coherency between multicore CPU registers and L1 caches.

    3. David Roberts

      Re: Why we need faster MEMORY!

      Sounds interesting and a bit like offloading work to GPUs.

      {Googles}

      Ah. GPU chips are also vulnerable to Spectre but not Meltdown.

      Still, a design for massively distributed processing instead of cramming even more processors onto a single die should at least be worth looking at.

      Although adding more slightly slower processors to a single die might be at least as effective for a mixed workload if not for a single thread.

      1. conscience

        Re: Why we need faster MEMORY!

        @David Roberts

        Depends which GPU you are speaking about?

        nVidia are susceptible and require patches to mitigate the bugs, but AMD GPUs are not affected.

    4. I Am Spartacus

      Re: Why we need faster MEMORY!

      @BobC

      I don't disagree. What SHOULD have been done long ago is get a chip that has true 64bit clean architecture, and doesn't have all of the 286/386 legacy instructions to allow paging of memory banks in and out as required. This way a decent OS can understand the memory architecture directly, and intrinsically know when memory is being executed outside of the current processors bounds.

      If you add to this flags on memory to state if it contains executable code/data, wether it is ReadOnly/ReadWrite then you actually start adding a lot more security. evil Person can't just do a buffer overrun and add their code to the execution path because it is then impossible to write to a readonly executable area.

      No need for a NorthBridge at all.

      Not having banked memory means that the whole 64bit address space can be mapped directly to memory. Devices then appear as memory locations (Vax? PDP?, Nova?, motorola). Bang goes the SouthBridge.

      You end up with a much cleaner, simpler, CPU architecture. Simpler motherboards. Simpler compilers. Even simpler OS.

      1. grumpy-old-person

        Re: Why we need faster MEMORY!

        IBM SWARD?

    5. Sel

      Re: Why we need faster MEMORY!

      My time addled brain assures me that Sum Microsystems already did this back in the day on some graphics oriented dram. I can’t find any reference to it today however I did find this:

      http://ieeexplore.ieee.org/document/7850975/?reload=true

  19. veti Silver badge

    Forking "fix"...

    So Intel's idea of a security fix is to take their buggy product, and turn it into, effectively, two buggy products. One with the original bug unfixed, the other with all new bugs waiting to be identified, and way lower performance to, if you'll pardon the pun, boot.

    Yeah, no thanks. Even Microsoft knows better than that.

  20. No-One@No-Where

    You can understand why he gets so grumpy

    I mean - he's known for creating the worst fucking OS of all time - where in order to do fucking anything you have to go to fucking terminal command prompt

    Linux is complete and utter fucking shit and his name is attached to it

    Its no wonder he's pissed

    1. Yet Another Anonymous coward Silver badge

      Mummy, little Billy is playing on the computer again

    2. foo_bar_baz

      Gots to be said

      I'll keep this short. Linus didn't create an OS, he created a kernel.

      Each time you use your Android phone you're using Linux. Not sure where the command line comes in to the picture.

    3. hplasm
      FAIL

      Linux is complete and utter fucking shit

      Said No-one No-where. Ever.

    4. HieronymusBloggs

      "he's known for creating the worst fucking OS of all time - where in order to do fucking anything you have to go to fucking terminal command prompt"

      HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA (edited for brevity)

      Did mummy forget to tie your shoelaces for you this morning?

    5. Doctor Syntax Silver badge

      "where in order to do fucking anything you have to go to fucking terminal command prompt"

      Let me guess. You've never even seen a modern (say less than 20 year old) Unix-based OS let alone ever used one.

      That doesn't mean I'm not about to fire up a terminal emulator to run the 10 updates KDE has just alerted me to. I do that because it's about an order of magnitude faster to do that than faff about with a GUI which, under Linux, is still about an order or magnitude than the Windows equivalent with all those reboots and so on.

  21. Kev99 Silver badge

    So changing the architecture will slow the CPU down by what? 5 NS? 10NS? Well, that's the end of life as we know it.

    1. DavCrav

      "So changing the architecture will slow the CPU down by what? 5 NS? 10NS? Well, that's the end of life as we know it."

      Do you mean changing future processors, or applying the patch? If you mean future processors, what do you do about the ~10bn processors that exist now?

    2. HieronymusBloggs

      "So changing the architecture will slow the CPU down by what? 5 NS? 10NS? Well, that's the end of life as we know it."

      A few nanoseconds added to every instruction becomes significant when multiplied by the several billion instructions that a modern CPU can execute per second.

  22. Public Citizen

    This is what happens when Lawyers and Accountants ["assisted" by Marketing Weasels] are making decisions that should be the exclusive purview of Engineers.

    Torvalds has good reason to be pissed.

  23. Herby

    All of this makes me long for...

    68K architecture, which I read somewhere doesn't have this problem. Unfortunately they stopped with the 68060 and didn't go farther. All in all a MUCH cleaner architecture. Probably slower, but WAY more compact in instruction count. Yes it was very CISC, but when memory was more expensive it was the way to go.

    Now we have these problems, and with very little genetic diversity, I suspect it might not be the last.

    1. gregthecanuck
      Happy

      Re: All of this makes me long for...

      68K isn't quite dead. It is being revived as the 68080 chip by a new development team!

      Currently in FPGA form and being used as an add-on accelerator for Amiga computers. A stand-alone computer based on this chip (Vampire V4) is due for release later on this year. Currently in beta.

      Check out the following links:

      http://www.apollo-accelerators.com/

      http://apollo-accelerators.com/wiki/doku.php

      http://apollo-accelerators.com/wiki/doku.php/apollo_core

      This is a VERY exciting development. Future plans (years away?) do include an ASIC.

      1. gregthecanuck

        Re: All of this makes me long for...

        There is also an IRC discussion forum where the core developers hang out: http://webchat.freenode.net/?channels=apollo-team

        And a regular discussion form for the core is here: http://www.apollo-core.com

    2. Dan 55 Silver badge

      Re: All of this makes me long for...

      It makes me miss the Z80... Almost anything is better than x86.

    3. Inspector71
      Thumb Up

      Re: All of this makes me long for...

      Right, time to fire up the Quadra 840.

    4. Ken Hagan Gold badge

      Re: All of this makes me long for...

      "68K architecture, which I read somewhere doesn't have this problem. "

      68K probably doesn't have this problem because the architecture was commercially dead before out-of-order processors took over. A 68K chip designed for performance last year would have been out of order and would almost certainly have suffered this problem, just like the highest performing cores from ARM, MIPS, SPARC, ...

      Intel are getting flack from Linus because they are being dishonest about the fix, not because of the bug.

  24. Anonymous Coward
    Anonymous Coward

    I'm with Intel on this...

    I'm with Intel on this, in that I want a flag that lets me choose whether to allow the speculative read-ahead. But i want it opt-in, not opt-out (for security reasons). I can reasonably decide what software runs on *certain* machines, and if I want to run a gaming rig (that isnt going to be used for generic internet browsing) but runs games, or if I want my 3d editing rig that just does my Unreal pipeline, that's my *informed* decision to enable the extra power at the tradeoff of a potential security risk.

    1. Aitor 1

      Re: I'm with Intel on this...

      Err no.

      First, the patch has to be stable. It is NOT.

      Second, if you want it for gaming.. well, good news, the impact on gaming is minimal.

      Also, unsecure by default is a horrible option.. (as you also point out), as is running in "unsecure mode". For the common good, processors should try to be at least reasonably secure.. and if people start running computers with known vulnerabilities that can be exploited with a asimple javascript/flash/whatever in the browser.. well, more zombies and bad for everyone when massive floods take down services, or extortion mafias demand money from etailers. And yes, they do, I would even call it "standard".

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm with Intel on this...

        Um, yes? That's why I said I wanted it secured by default, but an option for 25% more performance gain if I can decide that my box is not running malware? My standalone 3d rendering box could definitely use that.

        1. Aitor 1

          Re: I'm with Intel on this...

          I understand you, but that should not be an option, as insecure settings WILL be used in situations that are bad for everyone involved.

  25. sitta_europea Silver badge

    I don't want to have to choose between performance and security.

    1. Doctor Syntax Silver badge

      "I don't want to have to choose between performance and security."

      Neither does anyone else, not even Intel. But we are where we are and not where we want to be. What are the best options for now? Taking care of that and the future are two different tasks.

  26. R3sistance

    Apparently Torvalds can still be praised for sitting two sides on the same argument. After all wasn't it Torvalds only a couple of months ago whom berated a security expert because they didn't have a fallback mechanism in their code from the start and said that enabling security fixes that inconveniences the user is bad and can lead to system crashes.

    Now we have a security update with a fallback mechanism and that enabling it inconveniences the user for certain and does indeed crash many systems.. the sheer hypocrisy here... personally I believe most users don't actually care about security and that sometimes you have to push security on too users even if it inconveniences them somewhat. Naturally you still need the ability to revert or disable such security updates encase they do bork the system too, of course.

    1. Dan 55 Silver badge

      The problem is that you (or rather your OS' kernel at boot) has to opt in because marketing says fake benchmarks are important.

      I'm sure anyone can design a CPU with none of the expected protection that runs like shit of a shovel, but that shouldn't be benchedmarked in the same way as other CPUs which does have it.

      The benchmarks between AMD Ryzen vs Intel i7 8th Gen (Boring Extra Security Mode Which Isn't Really Needed) are too close for comfort, they want people to look at AMD Ryzen vs Intel i7 8th Gen instead.

      1. Aitor 1

        Nailed it

        I fully agree with you.

        In many workloads, AMD processors might be better than current Xeons.. for less money.

        So by creating these patches, they can still benchmark them on "default", ie, "unsecure" mode.

    2. HieronymusBloggs

      "the sheer hypocrisy here... "

      I didn't notice any hypocrisy, as the situations are clearly different. I do notice the tendency of some commentards to take things entirely out of context in order to try and rationalise a personal dislike.

  27. ntevanza

    Linux, the musical

    Linus, he's an inspiration

    He's the wizard of a generation

    He's the kernel's conscience

    He's the boss of foss

    He swears a lot

    But so what;

    The unicorms his gnomes have bred

    Could fill a medium sized shed.

    So denizens of Userland

    Rally round before he's banned!

  28. Anonymous Coward
    Anonymous Coward

    Intel's Response...

    ...says it all:

    “We take the feedback of industry partners seriously. We are actively engaging with the Linux community, including Linus, as we seek to work together on solutions.”

    Where's all the legal bluster you'd expect from a litegeous megacorp? Threats of God knows what, and being on the defensive? None of that - as they know Linus has it spot on.

    1. Anonymous Coward
      Anonymous Coward

      Re: Intel's Response...

      “We take the feedback of industry partners seriously. ..."

      searching on intel's page for who are this serious taken feedback givers - 'industry partners'.

      Well, in 2010 there were a link(now its dead).

      Am I also a serious taken one?

      Well, properly not.

  29. msknight

    Sounds like...

    Intel are deploying "The Intel Trustworthiness Share Umbrella Program"

  30. Anonymous Coward
    Anonymous Coward

    A business decision, not technical

    "Torvalds observed that the cost of using IBRS on existing hardware is so significant that no one will set the hardware capability bits".

    And that is exactly the point, as a "business" mind sees it.

    This way, it will be the user who becomes responsible for insecurity as he failed to turn on the protection bit.

    Or he can turn it on and suffer with the resulting low performance - and that, too, will be his responsibility.

  31. Anonymous Coward
    Anonymous Coward

    not to fix it

    they tried it once, years ago (remember the floating this or that?). That failed, costly. I guess those execs are not around any more...

  32. Anonymous Coward
    Anonymous Coward

    neither Meltdown or Spectre is much of a threat to a home user

    I have this weird feeling I heard something like this before, and more than once, in various context. Like, gee, this gun will never go off on its o

    1. DavCrav

      Re: neither Meltdown or Spectre is much of a threat to a home user

      "I have this weird feeling I heard something like this before, and more than once, in various context. Like, gee, this gun will never go off on its o"

      Or

      "They couldn't hit an elephant at this distance."

      1. Norman Nescio Silver badge

        Re: neither Meltdown or Spectre is much of a threat to a home user

        "They couldn't hit an elephant at this distance."

        Ah yes, the famous words uttered by Union Army General John Sedgewick shortly before his death.

    2. Anonymous Coward
      Anonymous Coward

      Re: neither Meltdown or Spectre is much of a threat to a home user

      Like, gee, this gun will never go off on its o

      To be fair, guns only go off on their own on TV and in the imaginations of those who have an irrational amount of fear* regarding them. If you doubt that, try talking to someone who actually knows a thing or three about guns. It doesn't even need to be a gun nut. Go ask a retired soldier or a SWAT officer how often guns just go off.

      *As opposed to the completely appropriate amount of respect due to anything that can kill if mishandled.

      1. Anonymous Coward
        Anonymous Coward

        Re: Go ask a retired soldier or a SWAT officer how often guns just go off.

        Are they the only types of people who have guns, then?

  33. Anonymous Coward
    Anonymous Coward

    If Linus doesn't like it why doesn't he write it himself?

    1. PNGuinn
      Trollface

      re "If Linus doesn't like it why doesn't he write it himself?"

      He's got a very important job to do himself. This one's Intel's pile of Dodo droppings. It's their call.

      OTOH, just to be charitable, I'll give Intel a free suggestion. Why don't you ask that nice Mr Pottering for some help. If he would only take a week off from fixing Pulse Audio, I'm sure he could easily incorporate a fix into Sysyemd. The system would boot faster, run faster, crash faster, ...oops...

  34. bexley

    three letter agency interference perhaps?

    I expect that intel are being instructed to leave this backdoor open

  35. Colin Tree

    recall

    Should be a recall

    1. David Roberts
      WTF?

      Re: recall

      How far back?

      Core 2 Duo which was shipped with Vista?

      What would the fix be? Replace the complete PC with something which hasn't been fixed yet, and allegedly won't be properly fixed for another 2 years?

      Or wait 2 years then offer a $50 rebate on a brand new system? No way that you are going to fix any 10 year old laptops.

      The best you would be likely to see is a limited term "scrappage" offer which helps shift an enormous number of new W10 systems and gives the whole industry a massive boost. Which isn't my idea of punishment for insecure design.

      1. Jonathan 27

        Re: recall

        Pentium Pro.

        But seriously, at least all CPUs sold in the last 5 years.

  36. Anonymous Coward
    Anonymous Coward

    Linus is right, INTL goes by the evil playbook how to avoid recalling CPUs

    >>> Linus

    >>> Is Intel really planning on making this shit architectural? Has

    >>> anybody talked to them and told them they are f*cking insane?

    >>> Please, any Intel engineers here - talk to your managers.

    >>

    >> Intel employee:

    >> If the alternative was a two-decade product recall and giving everyone

    >> free CPUs, I'm not sure it was entirely insane.

    >

    > Linus:

    > You seem to have bought into the cool-aid. Please add a healthy dose

    > of critical thinking. Because this isn't the kind of cool-aid that

    > makes for a fun trip with pretty pictures. This is the kind that melts

    > your brain.

    So yes, Linus is right. And INTL goes by the evil playbook how to avoid recalling CPUs. They do all the evil stuff what their lawyers came up with to avoid having to recall their last two decades of CPUs. And two billion people around the world get screwed by INTL. Guess what, their "Intel Inside" brand is burning.

    Great that Linus speaks up. Sad that most other don't, shame on them. It's very telling how certain media reports on this issue. TheReg, TechCrunch and some others are reporting it objectively, while many others are doing INTL a favor.

    1. Anonymous Coward
      Anonymous Coward

      Re: Linus is right, INTL goes by the evil playbook how to avoid recalling CPUs

      (further down in the mail thread)

      > Intel employee:

      > Right now the plan is just "screw Skylake"

      -- https://lkml.org/lkml/2018/1/23/108

      INTL just says "screw Skylake" aka CPUs made 2015-2017. What a great time to be a customer, not.

      INTL borked Intel CPUs made 2013-2015 with their latest Meltdown patch, causing unstable crashes "reboots".

      INTL won't release micro-code updates to 1995 (Pentium Pro) - 2012 CPUs at all.

      INTL will sell Meltdown inside CPUs in 2018, with no end in sight.

  37. steamnut

    It's about time the industry gave Intel a big spanking.

    Intel said "We take the feedback of industry partners seriously" - really? Since when did you listen to us?

    I hope the class action suits from the corporate users will give you a lesson in humilty....

    1. ecofeco Silver badge

      Re: It's about time the industry gave Intel a big spanking.

      Lawsuits?

      Boycotts would be better.

  38. Anonymous Coward
    Anonymous Coward

    Options

    Agreed - shockingly arrogant from Intel .... but with a processor design cycle being what it is .... I'm not sure they have a lot of options in the near term. The only hope is that the collective outrage focuses their minds on some fast changes ......

    1. lleres

      Re: Options

      Bollocks.

      Intel has options, they just do not like them.

      They could stop selling their entire affected product line, get everyone to work on a design fix/workaround and only start selling chips when they have a revised design that does not open up their *customers* to remote code execution.

      Like, you know, every other company has done when in the exact same situation. Not only that, most companies would recall defective products at their own expense, as their customers expect them to. See Toyota (twice), Samsung et al.

      But they do not want to because $.

  39. Anonymous Coward
    Anonymous Coward

    What is that hanging out of Linus' ears in this image?

    I hope I'm not the first to wonder this.....

    1. onefang

      "What is that hanging out of Linus' ears in this image?"

      Microphone headset.

  40. whatsyourShtoile
    Mushroom

    Intel's optimisations are the devil's work.

    Finally we can take back control of the order of execution, and write software that is fast because of the skill of the programmer.

    1. Anonymous Coward
      Anonymous Coward

      Re: Intel's optimisations are the devil's work.

      "write software that is fast because of the skill of the programmer."

      And reliable and trustworthy because of the skill of the programmer.

      And successful too because the quality of the product speaks for itself.

      Rather than what we see at the moment: the size of the vendor's marketing budget (and the misguided loyalty of the supporting ecosystem) speaks for the size of the vendor's historic cash pile, not the quality and fitness for purpose of the product in question.

      Name me two Intel-developed non-x86 products where Intel have succeeded in recent years.

      If that doesn't work for you, how are Intel's x86-centric products doing in markets where competition is actually practical, e.g. the mobile SoC market, and high-volume embedded equivalents (set top boxes etc).

      It's been a long time coming, but right now the future's not bright, the future's not Intel.

      Intel. The 8086 company. Sell.

      1. ecofeco Silver badge

        Re: Intel's optimisations are the devil's work.

        Yep.

        Also, I'm sure those massive layoffs last year and the selling of massive stock was all coincidental.

  41. Anonymous Coward
    Trollface

    Don't worry! Apple will be ok!

    An Apple spokesperson recently revealed that Intel were rolling out a special Apple-only Microcode fix to entirely disable branch prediction and speculative execution. The spokesperson continued: "We believe at Apple that there is only one way do do things - the Apple way - and therefore there's no need for speculation or prediction. In a certain world, who needs to speculate? Who need to predict with the outcome is always known and beautiful!"

    When asked about the 30%-50% performance hit across all Apple hardware, the spokesperson explained that "Apple's already been trying this on iPhones for around 6 months, and as long as the phone still looks shiny, and people can still tweet, they don't seem to care. Besides - remember the Apple Way. It'll be ready when we say it's ready. Even if getting there is really slow. And it'll be perfect."

    Tim Cook added: "even better is that we're raising prices by 30% next year to make up for the 30% loss in performance." Chuckling slightly manically, he continued "By the dead eyes of Jobs, I can't believe we're getting away with this, I really can't!"

    An Intel spokesperson ask asked to comment, but he'd driven to the wrong address, for 'security reasons', and was trying to find his way back without letting anyone else know where he'd been.

  42. Aodhhan

    Rocks... glass houses... c'mon Linus.

    Once again Linus is off his meds and ranting as if his creation was perfect from the start.

    Oh.. the stories I can tell about hacking into systems using the early versions of UNIX and Linux. All attacking the OS itself and not software. The input points, the early libraries were all such easy targets, than in less than 30 minutes you could teach an average person how to successfully hack systems.

    1. HieronymusBloggs

      Re: Rocks... glass houses... c'mon Linus.

      "the stories I can tell about hacking into systems using the early versions of UNIX and Linux"

      Nice straw man. Are you saying he should keep his mouth shut about the present CPU debacle?

    2. HieronymusBloggs

      Re: Rocks... glass houses... c'mon Linus.

      "the stories I can tell about hacking into systems using the early versions of UNIX"

      Another thing: Unix was around in 1972. I think it's a little unfair to blame the 3-year-old Linus for that.

  43. Alpy
    Thumb Down

    Hopefully people will wake up!

    Intel have taken advantage of corporate enterprises and home users for years by setting artificially high prices in a market they had total domination in. During that time Moore's law hasn't been maintained due to Intel holding back innovation and maximising margins on existing chip architecture. Now this all comes out in the wash and most people have lost at least 10-35% performance depending on architecture and usage surely people now need to wake up and realise that there is another x86 vendor (AMD) waiting in the wings along with ARM and IBM Power chips to take them into the next generation.

    Please wake up and realise that Intel have been robbing and lying to you for long while!

    1. Yet Another Anonymous coward Silver badge

      Re: Hopefully people will wake up!

      Intel holding back innovation

      Little known fact that Intel cracked 7nm fabs years ago but didn't want to seem pushy and wanted to give TSMC and Samsung a chance top catch up.

      They also keep down the metric system and the electric car

      1. Solmyr ibn Wali Barad

        Re: Hopefully people will wake up!

        "They also keep down the metric system and the electric car"

        Not to mention thorium reactors. Oh, and world peace.

        1. Alpy

          Re: Hopefully people will wake up!

          And a cure for the common cold! Barstewards! ;)

  44. EJ

    I'm assuming the US Feds will be blacklisting Intel as they have done for Kaspersky products.

  45. Bob Camp

    It's about time

    Intel and AMD are going to take several years and a few hundred engineers to properly fix Spectre in their hardware. That "fixed" ID bit Linus wants is going to be '0' for the next 4-5 years. Although there are no active exploits for Spectre now, I'd have to imagine somebody will develop one within that time frame.

    Which is why everybody needs to run an anti-virus program with real-time protection. Even if you run Linux, OS X, or Android. Yes, even you. You should have already been doing that anyway, but now you can't hide behind the false pretense that "my machine is stable, fast, *AND* exploit-free". It never was really exploit-free, it's currently not stable, and now it won't even be that fast.

    1. HieronymusBloggs

      Re: It's about time

      "Which is why everybody needs to run an anti-virus program with real-time protection."

      Do you have a time machine which would enable this? Existing AV is retroactive for the simple reason that malware has to be already in existence and known about before the AV software can be written.

      Besides, "everybody" doesn't need this, only those who don't have better means of minimising malware risk.

  46. sisk

    He's right

    Putting the responsibility for fixing the bug on the customer like that is crazy. Anyplace I've ever worked would have fired the person who suggested it. The only thing I can think of to explain it is that Intel clearly doesn't care about security.

    Add this to the list of reasons that I'm an AMD user.

  47. captain_solo

    The transformation led by CIO conferences and magazines to "commodity computing" and "open source" because that would be better has shown itself to be a gigantic fraud.

    Next lets move all the compute to a few large unnacountable cloud providers running on that rickety infrastructure scaffolding pasted together with a bunch of bespoke orchestration and automation, that will be better.

    Serverless means we don't need any CPUs at all right?

    1. Yet Another Anonymous coward Silver badge

      Serverless means we don't need any CPUs at all right?

      But you don't need to won the whole CPU.

      The cloud means that your container can run on the same CPU as everyone else's container because the CPU has all these protections that stop one user mode process seeing anything from another process so it's all perfectly safe *

      * unless the CPU has pipelining or speculative branch execution of course

  48. ecofeco Silver badge

    Intel is NOT the gold standard

    Intel has been making mistakes for decades. How they stay in business is either luck or crime.

    Guess which one my cynical self thinks it is?

    1. sisk

      Re: Intel is NOT the gold standard

      It's neither. They've owned the majority of the market since the 80s. From that kind of power position you can get away with a lot. And it doesn't hurt them in the least that 90% of their missteps never get any press outside the tech sector, so the guy buying a computer in Best Buy doesn't know to avoid anything with an Intel Inside sticker.

  49. Anonymous Coward
    Anonymous Coward

    Is anyone honestly surprised

    This is what I expect from a marketing company that pretends to be a tech company... Oh I can mass produce the CPU's you will have 10 years from now but I won't I want you to buy at our specified intervals and after maybe 10 generations of CPU's you will be there, see this is how tech is done don't you know.

    Don't listen to those climate crusaders and green evangelists who complain that we produce un-needed e-wast. We are the best which is why via bios we won't let you upgrade anything, others who think making multi-generation CPU's work on the same main board are inferior. Look we are adding extra "Security" features... we call it "Spectre v2" security enhancement, Voila!!

  50. Patrician

    The problem that I see with the BIOS/Firmware flash for Spectre/Meldown is that 90% of end users, once they've got their PC, never look for a BIOS/firmware update and wouldn't even know what such a thing is. So how do we make sure all those PC's out there patched (all owned by people like my neighbour who doesn't even understand how to log onto his router), once it is stable of course?

    1. sisk

      Sadly that is the case. But that's also true of a lot of security updates. Do you realize how many people are still running five year old versions of Flash? Heck, there are still millions of XP machines floating around that haven't gotten security updates of any kind for years. Unfortunately we can't protect people who don't know they need protection.

      1. Charles 9

        But you HAVE to. Otherwise, they can take you with them. This isn't quite like immunization because if you don't get everyone, the ones you don't get can still be used to get the ones you did get previously. It's more like siege warfare, in that the enemy only has to be lucky ONCE.

        1. sisk

          Very true, but that doesn't change the fact that there's not much we can do for people who don't even realize they can update their firmware, let alone that they need to or how to do it. I mean I think most or maybe even all of us around here do our best to educate the pleebs, but there's only so much we can do.

          1. Charles 9

            But it still asks if there is more we can do because otherwise we can fall victim to other people's stupidity. Living in a world where we can be pwned without any involvement of our own (and indeed through someone else's involvement) makes things pretty scary. And unlike getting struck by lightning, the odds aren't as astronomical.

  51. Anonymous Coward
    Anonymous Coward

    To those who think they have nothing of interest

    Well you guys may be right regarding launch codes or anything like that but what about your Twitter, Facebook, Gmail, Paypal, Amazon, Credit Card, ... info that can be taken.

    Do you like have your accounts taken hostage?

    How about bitcoin... what if someone redirects your mining to a different pool/wallet?

    If your okay with that then avoid the patches... Also FYI a trusted site does not mean it can be trusted entirely. You may trust the articles on the site but can you trust the ads, yes noscript(or most script blockers) helps tremendously but no one should have full faith in anything. There is a reason why these addons get updated... clever people figure ways around things.

    I've been in the security game for almost 20 years now and well the best way to describe it is "It's a cat and mouse game". You may be protected most of the time but not 100% of the time... Keep that in mind.

  52. Jonathan 27

    We need to replace these CPUs now, there is no fix. So how is Intel getting away without refunding or replacing the chips?

    1. Charles 9

      Replace them with WHAT? I don't think there's been anything of this scope elsewhere in reality, where practically EVERYTHING for the last 20 years has to be recalled with NOTHING to replace them due for like two years or so.

  53. rmstock

    What about the SPARC processor ?

    Maybe its time that SPARC64 processors are getting deployed in PC's and laptops. This might wake up the correct department of Intel to really fix their design flaws. Or was Spectre inserted by design ? A new CPU branch and line of computers is what would be welcome here. It's not that we are talking about oldie tech here : https://en.wikipedia.org/wiki/SPARC There's the SPARC M7, SPARC S7 and SPARC M8 from Oracle running at 5000 MHz and the SPARC64 XII from Fujitsu running at 4250 MHz.

    1. Roo
      Windows

      Re: What about the SPARC processor ?

      It turns out that recent SPARCs are also vulnerable to SPECTRE attacks... Relatively "easily" solved in this age of multi-core dies... Shoehorn a slow but secure core onto the die and run sensitive code on that core alone. The question becomes whether the user has enough "non-sensitive" code running to make the performance hit acceptable.

      1. Charles 9

        Re: What about the SPARC processor ?

        But the secure core needs to be fed somehow, and that interface is where they can get you. Seems like turtles all the way down, if you ask me.

        1. Roo
          Windows

          Re: What about the SPARC processor ?

          "Seems like turtles all the way down, if you ask me."

          Nice to have a choice of turtles better suited the job at hand though. :)

          I welcome the return of our LSI-11/03 console overlords...

          1. Charles 9

            Re: What about the SPARC processor ?

            That's the problem. You think you have better suited to the job, but it's just as bad, only in a different part.

            Basically, if there's a way for a human to interact with it, there's probably a way to pwn it, and that's true even of black boxes.

            1. Roo
              Windows

              Re: What about the SPARC processor ?

              "Basically, if there's a way for a human to interact with it, there's probably a way to pwn it, and that's true even of black boxes."

              There are degrees of badness.

              "Basically, if there's a way for a human to interact with it, there's probably a way to pwn it, and that's true even of black boxes."

              I do share your assertion that no box will ever be secure, but I don't see security as an end goal. It's a continuous process, one where you will usually be one step behind, and it can appear that you are so far behind that all your efforts are futile... However I derive some satisfaction in finding a good fix for a vuln and making my patch a little bit better than it was yesterday. :)

              I see the whole vuln-discovery + vuln-remediation cycle as a an opportunity to broaden my knowledge of the systems I work with/against.

              That said, I do admit that I do find the burden of supporting / using the crud I deal with on a daily basis pretty horrible...

              I confess to feeling overwhelmed by the weight of despair that descends upon me when I find another JVM with wide open JMX sockets lurking in a dark corner, or some 9.7 CVSS score vuln in the 9000000 zillion .jars that Spring has pulled in because someone wanted to create an instance of an object using XML rather than a simple new.

              Minding the C/C++ and Python stuff really is child's play by comparison.

  54. iOS6 user

    Does Intel going to offers %20 discount on buying buggy CPUs?

    Something like this could be fair IMO.

    1. jason 53

      Re: Does Intel going to offers %20 discount on buying buggy CPUs?

      the real trouble is that all new still on the shelf PC's cant be fixed. and to redesign a new chip is 2 years+. that means the next 2 years all chips will ship with this flaw and they will all be insecure. there is NO fix just a patch that makes it slightly harder. New PC's need to have a warning customers about this flaw, but no one is speaking about this cause they don't want to tank new sales. WHAT is INTEL Doing to tell the customer today about they chips that are just unfix-able . that patch will only make it slightly harder to exploit these chips for the next 2 years.

  55. Anonymous Coward
    Anonymous Coward

    Who benefits from the crime?

    Well, if you ask me, that's all a plot to get rid of the die-hard Win7 refuseniks...

    Did you plan to keep your old laptop/desktop running Win7 till its natural death? Well, tough luck. Now you have to switch to a brand new shiny (and patched) Win10 computer to escape spectral meltdown...

    It's Intel doing its old pal Microsoft a favor (not that they won't profit from all those people buying new hardware too)...

  56. ravenstar68

    Removing Spectre mitigation in the patch - seriously?

    So if I'm reading the article right this line just made me laugh.

    "so it's preparing a patch without the problematic bits – the Spectre v2 mitigation"

    Erm isn't the whole point of patching to deal with the Spectre issue. Launching a new patch without this makes NO sense at all.

  57. jason 53

    The real trouble is that all new still on the shelf PC's cant be fixed. and to redesign a new chip is 2 years+. that means the next 2 years all chips will ship with this flaw and they will all be insecure. there is NO fix just a patch that makes it slightly harder. New PC's need to have a warning customers about this flaw, but no one is speaking about this cause they don't want to tank new sales.

  58. spunkypete

    On the bright side, re-engineered context switching could itself yield a really significant performance boost on the same manufacturing process for modern software (the number of cycles required per switch is non-optimal in my view). It might actually be worth splashing out on new hardware in a couple of years.

    Winner winner chicken dinner and all that

    1. Charles 9

      I think that's gonna have to be the new big goal. If they can make context switching quick (this includes cache management between contexts), then you can use more of them without having to worry about performance penalties. That's a huge reason most x86/x64 systems tend to only use two rings when they actually have four available.

  59. Anonymous Coward
    Anonymous Coward

    Pfft.

    Hype or Hyperbole would be the word to describe these bugs, if you installed a i3 i4 i5 etc with a duel processor and hidden ME or PSP seriously what did you expect? An all I hear from the other readers is WIndows 10 - seriously - Windows has kind of turned into the disaster of IT departments everywhere. WIndows 7 Ultimate was where the user was in control of everything, remember GOD Mode?

    If you use Windows 10 you loose pretty much all the control you had in the name of developing a product that mimic's Google android and robs you the end user, of all the control's you all fought so hard for in the first place.

    Why does Windows software always seems to proactively get worse as time goes by? If you want to retain customers, putting hidden Family-Safety and Key-logging Spyware into your business platform robbing business users of there patent idea's isn't really the way to succeed in any sphere of influence.

  60. Ray Merrall

    Any one think that both architecture manufacturers have the same problem at the same time? Just when all the computer manufacturers need to have a new product to sell. Nope, that would be too cynical...

  61. aqk
    Linux

    Very strange....

    What is with these asterisks?

    Doesn't Torvalds even know how to spell "fsck"?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like