# Intel Reveals New Spectre-Like Attack, Advises Disabling Hyper-Threading



## R0H1T (May 14, 2019)

> Intel unveiled yet another speculative execution side-channel flaw in its processors. The vulnerability affects most of the company’s processor SKUs, except the 8th and 9th generation chips, which Intel said includes hardware mitigations against this flaw.
> 
> *Microarchitectural Data Sampling in Intel Chips*
> 
> ...











						Intel’s New Spectre-Like Flaw Affects Chips Made Since 2008
					

Intel revealed a new speculative execution attack that would allow malicious actors to obtain sensitive information that would otherwise be protected by the processor. The flaw could affect system performance.




					www.tomshardware.com


----------



## biffzinker (May 14, 2019)

The Register said:
			
		

> Intel disagrees about the need to disable hyperthreading, and says it plans to add additional hardware defenses to address these vulnerabilities into future processors.








						Buffer the Intel flayer: Chipzilla, Microsoft, Linux world, etc emit fixes for yet more data-leaking processor flaws
					

Intel CPUs dating back a decade are vulnerable to latest cousin of Spectre




					www.theregister.co.uk


----------



## Regeneration (May 14, 2019)

Intel is planning to release microcode updates to mitigate these potential vulnerabilities for Sandy Bridge (2nd gen) and newer.

And remember, HT off = extra 200 MHz for your overclock, and lower core temperatures.


----------



## biffzinker (May 14, 2019)

Ryzen is affected by MDS according to Windows 10 with the latest cumulative update from today.


----------



## Lindatje (May 14, 2019)

biffzinker said:


> Ryzen is affected by MDS according to Windows 10 with the latest cumulative update from today.
> 
> View attachment 122979


They (Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany and security firms Cyberus, BitDefender, Qihoo360 and Oracle). 
have tested Ryzen and Ryzen is not affected.


----------



## johnspack (May 15, 2019)

Just got a microcode update notice in Ubuntu...  declined it for now.  Anyone else get this?


----------



## trparky (May 15, 2019)

I am really starting to regret buying my 8700K right about now. These Intel chips are turning out to have more security holes than Internet Explorer.


----------



## MrGenius (May 15, 2019)

Regeneration said:


> And remember, HT off = extra 200 MHz for your overclock, and lower core temperatures.


Also = a MASSIVE performance loss with programs/apps that are optimized for multi-threading.


----------



## trparky (May 15, 2019)

I don't know why people are laughing, I'm serious here. How many more of these kinds of exploits are there just waiting to be found?

I'll leave you with that nightmare of a question.


----------



## ratirt (May 15, 2019)

I don't know about you guys but I'm kinda sensing that Intel released this on purpose. All older gens are affected except newer gen like 9th and 8th. It's like telling you to go with the new gen processors from intel cause these don't have that vulnerability. Especially if the older generations aren't getting any fix. Also this HT disabling which is going to help. Another way to say that processors don't need it since it causes problems. Scare you off so that you won't wait for anything new coming up and you get the processors now. Why now Intel decided to say this? Because Zen2 is just around the corner and Intel want's to boost sales a bit more before that happens?
Maybe it's just an impression but that's what I get out of it.



trparky said:


> I am really starting to regret buying my 8700K right about now. These Intel chips are turning out to have more security holes than Internet Explorer.


Why regret? 8th gen is not affected. At least it's not affected by this vulnerability.


----------



## mtcn77 (May 15, 2019)

I kind of envy the Intel sheeple herd. They just received the most harrowing news on that marketing badge, _yet they aren't deterred._


----------



## biffzinker (May 15, 2019)

Lindatje said:


> They (Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany and security firms Cyberus, BitDefender, Qihoo360 and Oracle).
> have tested Ryzen and Ryzen is not affected.


Somebody needs to let Microsoft know Ryzen isn't vulnerable.


----------



## s3thra (May 15, 2019)

johnspack said:


> Just got a microcode update notice in Ubuntu...  declined it for now.  Anyone else get this?



Using a Ryzen 2600 here with Kubuntu 18.10, and yes this update has come through to me too:


----------



## er557 (May 15, 2019)

all mitigation in place, microcode updated by windows update, all is well, no performance impact whatsoever


----------



## ratirt (May 15, 2019)

er557 said:


> all mitigation in place, microcode updated by windows update, all is well, no performance impact whatsoever
> 
> View attachment 123026


Are you sure there's no performance impact? You are comparing your CPU to a 7980 which has half the cores and threads and lower clock speed and yet your is still behind in single-thread and a tad faster in multi-thread bench.
I'm just pointing this out I'm not sure if these should have been the correct values for your Xeon.


----------



## trparky (May 15, 2019)

ratirt said:


> Why regret? 8th gen is not affected. At least it's not affected by this vulnerability.


Not according to this...


----------



## trparky (May 15, 2019)

er557 said:


> all mitigation in place, microcode updated by windows update, all is well, no performance impact whatsoever


May I ask what values you have set for the following Registry settings?

*Key:* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management | *Value Name:* FeatureSettingsOverride
*Key:* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management | *Value Name:* FeatureSettingsOverrideMask
*Key:* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization | *Value Name:* MinVmVersionForCpuBasedMitigations

Because I can't get MDSWindowsSupport to be enabled to save my life. According to Microsoft's own Intel Microcode Page (KB4465065) I have the latest microcode patch installed. So with that said, my system is vulnerable to this crap.


----------



## Bill_Bright (May 15, 2019)

There are a few issues that always seem to allude those, or are just ignored by those ready to pounce on Intel (or whichever giant in their respective industry) has some new flaw  or vulnerability discovered. 

Just because a vulnerability is discovered,​
That does not mean a bad guy can waltz past, totally undetected, all the other hardware and software defenses in our networks and on our computers,
But if they some how are able to bypass all other defenses, it does not mean it is a simple process to exploit that vulnerability (plant the malicious code) while remaining undetected,
Then use that exploited vulnerability (activate the malicious code) to compromise our computers or harvest our data, again remaining undetected, 
Then be able to "phone home" with that information, or use that computer for nefarious deeds while still remaining undetected.
There is no reason to assume there are not undiscovered vulnerabilities in processors made by AMD, NVIDIA, Qualcomm, Motorola, Via, etc. That is, there is no reason to assume if you buy a Ryzen that there are no vulnerabilities (known or yet to be discovered) to be exploited by bad guys.​
For the record, this has a severity rating of "Medium" - below "High" and "Critical". And more importantly, patches have already been released, are in production, or are planned for all processors Intel current sells or are still on the market and even for most processors still in the field (source: Intel Microcode Update PDF - note the 8700K is on the list).



ratirt said:


> I don't know about you guys but I'm kinda sensing that Intel released this on purpose. All older gens are affected except newer gen like 9th and 8th. It's like telling you to go with the new gen processors from intel cause these don't have that vulnerability.


What do you expect them to say? "_*Some* processors may have this vulnerability_" then leave it at that keeping everyone guessing which processors? 

I am not saying this isn't bad, it is. And it is not just another ho-hum vulnerability. But it is not the end of the world either. 

If you run without being behind a router, without running any anti-malware or firewall protection and you don't keep Windows current, cut your Ethernet cables and panic. Otherwise, I recommend leaving the OS alone. Don't start making changes to the Registry. Let Intel and OS makers do their thing - they are already on it.


----------



## trparky (May 15, 2019)

What I would love to know is when the class action lawsuit against Intel will start. Granted, the only people who would truly benefit is the lawyers meanwhile the rest of us poor slobs would get a token $10 check in the mail.


----------



## er557 (May 15, 2019)

@trparky :
to your question, you need to run 1903 as these settings are already enabled in latest cumulative;, the microcode was released today, if you dont find it or not included in it, windows wont enable the mitigation.


----------



## trparky (May 15, 2019)

I'm still on Windows 10 1809 and I have no intention to upgrade to 1903 until a month after the release just in case Microsoft screwed the pooch again. As for the firmware update, where did you get it?


----------



## Deleted member 24505 (May 15, 2019)

trparky said:


> I'm still on Windows 10 1809 and I have no intention to upgrade to 1903 until a month after the release just in case Microsoft screwed the pooch again. As for the firmware update, where did you get it?



Ive been on 1903 for at least 6weeks now, and i have noticed zero problems


----------



## er557 (May 15, 2019)

i did not get fimware update, i got microsoft intel microcode update for windows, it is a kb with descriptions of supported cpus, and hence fimware is not needed. google it for your os, 1809


----------



## P4-630 (May 15, 2019)

https://support.microsoft.com/en-us/help/4494441/windows-10-update-kb4494441


----------



## John Naylor (May 15, 2019)

Bill_Bright said:


> There are a few issues that always seem to allude those, or are just ignored by those ready to pounce on Intel (or whichever giant in their respective industry) has some new flaw  or vulnerability discovered.



I have yet to find and keep asking for links to a "look what happend here" story related to these vulnabilities.  None so far.


----------



## trparky (May 15, 2019)

P4-630 said:


> https://support.microsoft.com/en-us/help/4494441/windows-10-update-kb4494441


I already have that update installed and everything still says that my system is vulnerable. I even removed the custom registry value entries to have it be the default and yet still, no dice.


----------



## Bill_Bright (May 15, 2019)

John Naylor said:


> I have yet to find and keep asking for links to a "look what happend here" story related to these vulnabilities. None so far.


Right. And yet you'd think with all the fuss and uproar and knee-jerk reactions by some over these things that life, as we know it, was about to end.


----------



## trparky (May 15, 2019)

What I find absolutely insane is that in order to regain the security we once had before all of these exploits came about, we have to effectively castrate our processors by turning off Hyperthreading. I don't know about you guys but I don't find that solution to be an acceptable option.



Bill_Bright said:


> Right. And yet you'd think with all the fuss and uproar and knee-jerk reactions by some over these things that life, as we know it, was about to end.


The bad part is, you don't know you got hit until you find your info on the dark web and then it's too late.


----------



## Bill_Bright (May 15, 2019)

trparky said:


> The bad part is, you don't know you got hit until you find your info on the dark web and then it's too late.


And how is that different from any other malicious activity? Why would you assume all your other security measures have been compromised? Do you feel your router has been compromised? Do you assume your anti-malware solution will not detect any suspicious activity? Do you leave your computer unattended at a public library where anyone can gain physical access to it?

You are much more likely to find your info on the dark web because your bank, Yahoo, The Home Depot, Equifax or Facebook were hacked - again - due to the lackadaisical incompetence of the IT administrators and/or CIOs and CSOs.


----------



## trparky (May 15, 2019)

The point I'm trying to make here is that because of these silicon-level vulnerabilities, can we really _trust_ our systems? Can we really trust what our anti-malware is saying to us considering that these vulnerabilities open the door for Ring-0 level attacks? I would say no.

If you ask me, Intel should be held legally liable since the very architecture is fundamentally flawed. As one person on the old HardOCP forums said...


> I mean their un-patched chips basically don't bother to check if bits have permission to be there until after they execute.


It's like Intel left the door open and then after the shady looking guy walks in and he's done God knows what, we check his credentials. That makes no sense.

Oh this is good... as much as I hate referencing _The Verge_, Intel is currently facing 32 lawsuits regarding Spectre and Meltdown and that was back at the beginning of 2018. (Source) How much do you want to bet that the number of lawsuits is much larger now? Yeah...


----------



## FireFox (May 15, 2019)

Does anyone knows if there is a media creation tool for 1903?


----------



## biffzinker (May 15, 2019)

Knoxx29 said:


> Does anyone knows if there is a media creation tool for 1903?


1903 is still in the testing phase, another 19H1 build 18362.113 was pushed to the slow ring.


----------



## trparky (May 15, 2019)

Once again Microsoft can't stick to a promised release schedule. What more proof do you need to indicate that Microsoft really does need to slow down on these upgrades? Twice a year is too hard, slow it down to once a year.


----------



## Vayra86 (May 15, 2019)

trparky said:


> The point I'm trying to make here is that because of these silicon-level vulnerabilities, can we really _trust_ our systems? Can we really trust what our anti-malware is saying to us considering that these vulnerabilities open the door for Ring-0 level attacks? I would say no.
> 
> If you ask me, Intel should be held legally liable since the very architecture is fundamentally flawed. As one person on the old HardOCP forums said...
> 
> ...



The problem with this is that its hindsight speak. The only way Intel will be held accountable and liable is when some memo or communication turns up prior to the release of these CPUs where the flaws are discussed and tossed aside. I doubt that's the case - never say never though.

Another question that could be legitimately asked is: 'why did no one else ever figure this out'. I mean, we're talking about _millions of CPUs_ in a many thousands of businesses, but also governments., up to and including the highest confidentiality levels. The stakes cannot be higher, yet still after all this time nobody ever said a thing about it, or noticed anything weird.

Some mistakes are just genuine, human, and yes even collectively we are very good at making the same mistake together... What's more important is how it is fixed. On top of that, we already know that its impossible to guarantee perfect security, and now we get to see this in practice (and without major damage). Maybe it's a learning experience for us.


----------



## trparky (May 15, 2019)

Vayra86 said:


> What's more important is how it is fixed.


Basically I think it's time to scrap the Core architecture and design a new one from scratch. I have a feeling that that's what Intel has planned, why else would they hire Jim Keller?  Unfortunately, even with the lauded Jim Keller at the helm it's going to take a few more years until that new architecture is anywhere near being ready for mass use and until then we get to _enjoy_ several years of new flaws.


----------



## Bill_Bright (May 15, 2019)

trparky said:


> If you ask me, Intel should be held legally liable


Legally liable for what? Have you been damaged or harmed? This is not like airbags blowing shrapnel in our faces with the company knowing about it and intenti

There are billions of transistor gates in processors. No way to expect perfection. And now you want a whole new architecture with billions more "new" and un-scrutinized gates and coding? Not to mention this would then require new OS architectures, chipsets/motherboards, perhaps RAM and all new I/Os too. And then there's all the software out there designed to run on the current platform.  


trparky said:


> Once again Microsoft can't stick to a promised release schedule.


 What does MS have to do with this? This thread is about Intel so that's just more opportunistic bashing just to bash. And where did Microsoft "promise" to release anything? They didn't.


----------



## trparky (May 15, 2019)

Bill_Bright said:


> Have you been damaged or harmed?


I may have not been damaged. However if I were an Amazon.com AWS architect I'd be raising seven kinds of hell.


Bill_Bright said:


> What does MS have to do with this? This thread is about Intel so that's just more opportunistic bashing just to bash. And where did Microsoft "promise" to release anything? They didn't.


People, including myself, don't necessarily need a reason to bash Microsoft. They practically give material for us to use much like politicians do for late night TV comedy hosts.


----------



## Bill_Bright (May 15, 2019)

trparky said:


> People, including myself, don't necessarily need a reason to bash Microsoft.


That's just silly. How about because this is a technical forum and maybe having a little pride in what is posted is technically correct? That seems like a a good reason to me. 

And how about because this thread is about the Intel flaw?


----------



## Deleted member 24505 (May 15, 2019)

biffzinker said:


> 1903 is still in the testing phase, another 19H1 build 18362.113 was pushed to the slow ring.



Tbh imo it's fine for release now, been using it for 6 weeks, everyday use and gaming, no problems.


----------



## TheoneandonlyMrK (May 15, 2019)

Bill_Bright said:


> And how is that different from any other malicious activity? Why would you assume all your other security measures have been compromised? Do you feel your router has been compromised? Do you assume your anti-malware solution will not detect any suspicious activity? Do you leave your computer unattended at a public library where anyone can gain physical access to it?
> 
> You are much more likely to find your info on the dark web because your bank, Yahoo, The Home Depot, Equifax or Facebook were hacked - again - due to the *lackadaisical incompetence of the IT administrators and/or CIOs and CSOs*.


Exactly , hackers wont be after enthusiast and gamers Pc's directly , they are after, corporate tech or financial advantage after all, what with Intel owning the majority of servers , and human nature being what it is I admire your positivity.


----------



## biffzinker (May 15, 2019)

Bill_Bright said:


> What does MS have to do with this? This thread is about Intel so that's just more opportunistic bashing just to bash. And where did Microsoft "promise" to release anything? They didn't.


Likely in relation to my post about 1903 not being released yet. I was just trying to answer @Knoxx29 post about media creation tool for 1903 not being available.



tigger said:


> Tbh imo it's fine for release now, been using it for 6 weeks, everyday use and gaming, no problems.


Ran into a blue screen disabling the new Sandbox feature myself after playing around with it. Might of been because of Windows Defender Application Guard with the recent cumulative update for 1903.


----------



## Deleted member 24505 (May 15, 2019)

biffzinker said:


> Likely in relation to my post about 1903 not being released yet. I was just trying to answer @Knoxx29 post about media creation tool for 1903 not being available.
> 
> 
> Ran into a blue screen disabling the new Sandbox feature myself after playing around with it. Might of been because of Windows Defender Application Guard with the recent cumulative update for 1903.



The sandbox is very useful imo, for testing dubious proggys before you trust them properly.


----------



## ratirt (May 16, 2019)

trparky said:


> Not according to this...
> View attachment 123038


Yeah well. I've looked over the internet and read some articles about this and I seen that table. It appears even the 9th gen is affected so as 8th. Sorry bro for the bad news.



Bill_Bright said:


> What do you expect them to say? "_*Some* processors may have this vulnerability_" then leave it at that keeping everyone guessing which processors?
> 
> I am not saying this isn't bad, it is. And it is not just another ho-hum vulnerability. But it is not the end of the world either.
> 
> If you run without being behind a router, without running any anti-malware or firewall protection and you don't keep Windows current, cut your Ethernet cables and panic. Otherwise, I recommend leaving the OS alone. Don't start making changes to the Registry. Let Intel and OS makers do their thing - they are already on it.


That wasn't my point Mr. "Corn Husker"  the question is why this hasn't been fixed within the time. Are you saying Intel didn't know about it? Ryzens don't have that vulnerability. It's just disappointing considering Intel is such a vast company in microprocessors and yet it is there. Meaning they don't give a rats ass about the security. I'm just disappointed.  Anyway it can be fixed via soft? Hopefully not by disabling HT cause that's a fools errand in my opinion. They need to catch up with that and hopefully new products won't have that vulnerability.



Bill_Bright said:


> Legally liable for what? Have you been damaged or harmed? This is not like airbags blowing shrapnel in our faces with the company knowing about it and intenti
> 
> There are billions of transistor gates in processors. No way to expect perfection. And now you want a whole new architecture with billions more "new" and un-scrutinized gates and coding? Not to mention this would then require new OS architectures, chipsets/motherboards, perhaps RAM and all new I/Os too. And then there's all the software out there designed to run on the current platform.


Maybe they should have been held responsible. Here's that Corn husker attitude again. Stop offending people. So what if it has billions of transistors? You can protect from this when you want to do it despite how many transistors you have. Maybe at some point Intel will be held responsible if the companies using this product get really pissed or lose sensitive data cause of this. Intel didn't put too much effort to test products for security breach. It's their product and I'm100% sure they had known about this when the products were released.



tigger said:


> Tbh imo it's fine for release now, been using it for 6 weeks, everyday use and gaming, no problems.


Is it open for free download on Microsoft page? If not when is the release scheduled if anyone knows?


----------



## R-T-B (May 16, 2019)

tigger said:


> The sandbox is very useful imo, for testing dubious proggys before you trust them properly.



And ironically, breaking out of a sandbox is one thing this vulnerability can do with relative ease.


----------



## Bill_Bright (May 16, 2019)

ratirt said:


> the question is why this hasn't been fixed within the time.


I ask again? What do you expect? How do you change the coding of a processor already out in the field - coding that is basically hardwired in there by the default "quiescent" state of the gates?


ratirt said:


> Are you saying Intel didn't know about it?


And how do you know they did? You don't! Yet you assume (1) they knew about it all along and (2) you assume they intentionally chose to do nothing about it and (3) you have decided based on your assumptions and speculations (with no proof at all) that Intel doesn't care about security! Yeah right. Talk about YOUR attitude. 

And by the way, just because I live in Nebraska, it does NOT, in any way imply I am native to here, that I am a Cornhusker fan, or that I have the same values as them. Frankly, your comments just indicate  serious concerns with your attitude in how you prejudge people without ever actually knowing them. That's pretty sad.


ratirt said:


> So what if it has billions of transistors? You can protect from this when you want to do it despite how many transistors you have.


Oh, excuse me. I did not realize you are the preeminent expert in microprocessor design and manufacturing and know it all when it comes to discovering, identifying and protecting consumers from every potential flow in them.


----------



## HD64G (May 16, 2019)

trparky said:


> I already have that update installed and everything still says that my system is vulnerable. I even removed the custom registry value entries to have it be the default and yet still, no dice.


My take is that without firmware updates this vulnerability will keep existing as some of the others previously.


----------



## Chomiq (May 16, 2019)

trparky said:


> Once again Microsoft can't stick to a promised release schedule. What more proof do you need to indicate that Microsoft really does need to slow down on these upgrades? Twice a year is too hard, slow it down to once a year.


What they need to do is to hire an actual QA team instead of using users to beta test their updates.


----------



## Bill_Bright (May 16, 2019)

Chomiq said:


> What they need to do is to hire an actual QA team instead of using users to beta test their updates.


They do. But it is important to understand virtually every single one of the 1.5+ billion Windows systems out there is a unique machine. Unique with its own hardware configurations, security setups, network setup, users and user customization, and installed apps. No way can they test every scenario. So they have to rely on the beta testers. 

What they need to do is actually listen to the Windows Insiders who do the beta testing and when problems are reported, fix them. They were not staying on top of that well -but after last years fiasco, they are now - or are at least much better at it. But they actually need more insiders testing. As any statistician knows, the greater the sampling, the more accurate the results. So I recommend everyone who has an extra system, join up and be a part of the solution.


----------



## trparky (May 16, 2019)

Bill_Bright said:


> No way can they test every scenario.


And yet they did it back in the day, they had their own QA department and they "dog fooded" their software on their own employees. And you know what? Software quality was far better than it is now. These days installing a Windows Update is like playing Russian Roulette, you never know if your system won't boot after the update's done.

There used to be an initiative called the Trusted Computing Platform. Where is it? Gone. QA department? Gone. When Satya was hired as CEO both departments went bye bye and with it overall software quality.


----------



## Bill_Bright (May 16, 2019)

trparky said:


> And yet they did it back in the day, they had their own QA department and they "dog fooded" their software on their own employees.


No they didn't. Get real and stop trying to BS everyone. Intel has never had more than 150,000 employees. No way, even back in the day - except MAYBE  when there only the IBM PC could they test every scenario. 



trparky said:


> Software quality was far better than it is now.


_Software_ quality? This is about Intel _hardware_! 

You are just throwing anything you can get your hands on at the wall and hope it sticks.


----------



## trparky (May 16, 2019)

I'm referring to Microsoft since the piece I quoted from you was regarding Microsoft. This part of the conversation started with @Chomiq.

And yet they (Microsoft) did it back in the day, they (Microsoft) had their own QA department and they (Microsoft) "dog fooded" their software on their own employees. Windows XP was rock solid, we never had to worry about a Windows Update bricking systems world wide back in the days of Windows XP. Fast forward to Windows 10 and we are all Microsoft's own lab rats.

Case in point, the last update that caused issues with a certain antivirus installed on the system. Really Microsoft? This would have never happened years ago.


----------



## TheoneandonlyMrK (May 16, 2019)

trparky said:


> I'm referring to Microsoft since the piece I quoted from you was regarding Microsoft. This part of the conversation started with @Chomiq.
> 
> And yet they (Microsoft) did it back in the day, they (Microsoft) had their own QA department and they (Microsoft) "dog fooded" their software on their own employees.


playing fair software and hardware was significantly simpler Back int day , as were the dev suites and Sdk's , Api's , interfaces, in fact i can actually state everything was simpler back int day.

this is not even a fault, to be clear it's a vulnerability, something NO ONE foresaw being technically possible both when it was designed and made and also in the many years since then until a researcher Discovered the FLAW in intel's security architecture , the chips were not made bad or defective.


----------



## trparky (May 16, 2019)

I'm simply referring to the fact that these days you have to worry if a Windows Update will suddenly either BSOD your system upon restart or delete your data.

And besides, people don't exactly like the idea of being spied on (or so they say, see Windows 10 telemetry) along with the inability to disable Windows Update (without having to install such programs like ShutUp10) which is why so many people haven't upgraded to Windows 10 yet. Go ahead and journey into the General Software forum right here on TPU and I can guarantee you that you'll find people who rant constantly about how Windows 10 is a train wreck. I may not necessarily think Windows 10 is a train wreck but if enough people do think that way, Windows 10 will be seen as such by the general public.

As for software quality issues... see this thread. How the heck did Microsoft not catch this? This would've never happened years ago.


----------



## TheoneandonlyMrK (May 16, 2019)

trparky said:


> I'm simply referring to the fact that these days you have to worry if a Windows Update will suddenly either BSOD your system upon restart or delete your data.
> 
> And besides, people don't exactly like the idea of being spied on (or so they say, see Windows 10 telemetry) along with the inability to disable Windows Update (without having to install such programs like ShutUp10) which is why so many people haven't upgraded to Windows 10 yet. Go ahead and journey into the General Software forum right here on TPU and I can guarantee you that you'll find people who rant constantly about how Windows 10 is a train wreck. I may not necessarily think Windows 10 is a train wreck but if enough people do think that way, Windows 10 will be seen as such by the general public.
> 
> As for software quality issues... see this thread. How the heck did Microsoft not catch this? This would've never happened years ago.


I updated when 1809 deleted all your folders, I lost a couple of logs ,that's all.
Stuff can go wrong , maybe an update, maybe the dog pisses on it regardless if you own a PC and have'nt had it completely shit the bed and kill all your everything , then you have'nt had a PC long enough to moan about update deaths imho.

besides I f&%£d my Pc up way more times then Microsoft or Intel Ever could, i fixed it ,eh.


----------



## phanbuey (May 16, 2019)

John Naylor said:


> I have yet to find and keep asking for links to a "look what happend here" story related to these vulnabilities.  None so far.



Too early still, also the attacks are pretty difficult to pull off.  It's catching in flight cache data... that might be sensitive data... but most likely not, and it has to have a locally executing javascript applet to do it; again possible - but no one is going to sit around looking at randomly leaked cache data hoping for a password to a normal user.


----------



## trparky (May 16, 2019)

theoneandonlymrk said:


> I updated when 1809 deleted all your folders, I lost a couple of logs ,that's all.


I don't care if it was just log files, data loss because of an upgrade is simply *NOT* acceptable! It's one thing if hardware failure or user error occurred, it's another thing because something didn't get tested properly.


----------



## P4-630 (May 16, 2019)

Anyone else got the same kb4494441 update again today?


----------



## TheoneandonlyMrK (May 16, 2019)

trparky said:


> I don't care if it was just log files, data loss because of an upgrade is simply *NOT* acceptable! It's one thing if hardware failure or user error occurred, it's another thing because something didn't get tested properly.


User error causes data loss Even in that case , not an update , bacup , enough said.


----------



## trparky (May 16, 2019)

P4-630 said:


> Anyone else got the same kb4494441 update again today?


Yeah, I did. Microsoft Kuality Control strikes again.


----------



## phanbuey (May 16, 2019)

im hoping intel's cascade lake has a bunch of this stuff mitigated... and has some extra cache to mitigate the performance hit lol


----------



## ratirt (May 17, 2019)

Bill_Bright said:


> I ask again? What do you expect? How do you change the coding of a processor already out in the field - coding that is basically hardwired in there by the default "quiescent" state of the gates?
> And how do you know they did? You don't! Yet you assume (1) they knew about it all along and (2) you assume they intentionally chose to do nothing about it and (3) you have decided based on your assumptions and speculations (with no proof at all) that Intel doesn't care about security! Yeah right. Talk about YOUR attitude.
> 
> And by the way, just because I live in Nebraska, it does NOT, in any way imply I am native to here, that I am a Cornhusker fan, or that I have the same values as them. Frankly, your comments just indicate  serious concerns with your attitude in how you prejudge people without ever actually knowing them. That's pretty sad.
> Oh, excuse me. I did not realize you are the preeminent expert in microprocessor design and manufacturing and know it all when it comes to discovering, identifying and protecting consumers from every potential flow in them.


I can bet they knew about this but they just kept their mouths shut. I ask again. You don't need to change the coding. Are you telling me you are an expert? Cause you make it sound like one of us must be an expert to know something about it. So if I'm not an expert then you are? I seriously doubt it. It has already been fixed with software at least some of it. So you were wrong. 
Secondly, Cornhusker is a reference to a native Nebraska person or a resident. Besides I wasn't referring to any sports team and imply you being a fan of one. I'm guessing you have missed this. 
Intel and any other company has a department to test their products in terms of any security issues. Maybe instead of taking this seriously they been goofing off recently and this is what consumers get. 
"from every potential flow?(or flaw) in them" I didn't get that one.


----------



## juiseman (May 17, 2019)

So is this the 4th or 5th discovery in the last year? I have lost track now....

What is the performance hit in total with all of the patches installed? is it a few % on each?
are we talking about 20%-25% total now? 
Or do I have all this wrong.....


----------



## er557 (May 17, 2019)

I have all mitigations enabled and secure on haswell-ep, latest updates and microcode, hyperthreading enabled, I see no performance impact whatsoever, storage or cpu.
win 1903 has retpoline system to prevent performance impact from mitigations. In fact, my benchmarks are higher...


----------



## P4-630 (May 17, 2019)

er557 said:


> I have all mitigations enabled and secure on haswell-ep, latest updates and microcode



How did you confirm this? 
And just by windows updates?


----------



## Chomiq (May 17, 2019)

P4-630 said:


> How did you confirm this?
> And just by windows updates?


There's MDS Tool that's available on:





						MDS Attacks: Microarchitectural Data Sampling
					






					mdsattacks.com


----------



## er557 (May 17, 2019)

Easier than this tool, there is a powershell script from MS called speculationcontrol, google it, use it, and you will see all vulnerabilities and whether they are OK.

edit: indeed, just by updates, whether standalone from web or from windows update itself.


----------



## P4-630 (May 17, 2019)

er557 said:


> Easier than this tool, there is a powershell script from MS called speculationcontrol, google it, use it, and you will see all vulnerabilities and whether they are OK.
> 
> edit: indeed, just by updates, whether standalone from web or from windows update itself.



Can you make a screenshot from when you run the MDS tool?





						MDS Attacks: Microarchitectural Data Sampling
					






					mdsattacks.com


----------



## R0H1T (May 17, 2019)

er557 said:


> I have all mitigations enabled and secure on haswell-ep, latest updates and microcode, hyperthreading enabled, I see no performance impact whatsoever, storage or cpu.
> win 1903 has retpoline system to prevent performance impact from mitigations. In fact, my benchmarks are higher...


That's factually inaccurate, except for edge cases all ucode+OS mitigations produce a negative impact on performance on all systems (w/*spectre*) including AMD. The impact is application dependent, but it is there, more so wrt meltdown.


----------



## er557 (May 17, 2019)




----------



## Bill_Bright (May 17, 2019)

ratirt said:


> I can bet they knew about this but they just kept their mouths shut.


Yeah right! Because they thought nobody would notice?  These companies have learned that  bad publicity from the cover-up is MUCH WORSE than the crime itself. And they have learned whistle-blowers will leak such information if nothing is done about it.

If they knew about it and kept their mouths shut it was to keep that information from the bad guys - which IS the proper and logical way to deal with these type issues.



> You don't need to change the coding.


 Well of course coding needs to be changed. If the code is flawed, it needs to be fixed. They cannot "recall" all these processors out in the field so they will need to rely on other ways to patch that code for those already in the field. But for future processors, then they will need to revise the coding within the dies.



> Are you telling me you are an expert?


No, but I do have multiple degrees and certs in electronics and IS/IT systems, and have taken several courses in computer electronics, including micro-electronics. I have taught electronics and I have company management training and experience too - enough of each to give me some pretty good insight here. You can follow the link in my sig to see if I might know a little about what I am talking about. But I still would not pretend to be a CPU expert enough to make such claims as "Intel knew all along", that "they don't care", or any of the other purely speculative assumptions many, including you, have made in this thread when you are neither an expert nor an Intel insider. You are just guessing, pretending to know things you have no clue about, and then pretending that gives you the credentials to accuse and bash Intel and others with totally unsubstantiated, often nonsensical (like that below), if not totally false claims. Example:


trparky said:


> And yet they did it [test every scenario] back in the day,
> Once again Microsoft can't stick to a promised release schedule.
> we never had to worry about a Windows Update bricking systems world wide back in the days of Windows XP


Every scenario? Promised release schedule? World wide bricking of systems? See? Nonsense. 

As for bricking systems, for one, problems with WU are very rare and "bricking" system is even more rare. Does it happen? Of course! As I noted, they cannot test every scenario. But the odds it might happen are extremely rare. If it was anything like trparky wants you to believe, it would have happened to 1000s of TPU posters. Where are they? I personally know of no system ever "bricked" by a WU. Worse case was having to reboot a couple times and then they were good to go. 

And comparing W10 from today to XP from almost 20 years ago is more nonsense. The emphasis back then was legacy hardware and software support, not security. Microsoft today puts security ahead of legacy support. So what happens? Microsoft gets bashed by the trparky's for not supporting legacy stuff. But that's okay. Microsoft would much rather get bashed for that instead of getting bashed for security issues that are not their fault - and rightfully so, IMO. 

Is this Intel problem bad? It sure is not good. But is it right to go on this relentless bash fest, feeding frenzy, pulling in Microsoft and others to bash in the process? No.


----------



## trparky (May 17, 2019)

Bill_Bright said:


> Does it happen? Of course!


Yes, and it's happening more lately since they fired their own internal QA department. Well, that may be a bit of a sensationalist kind of way to say it but they (according to people in the industry, Why did Microsoft lay off 'Programmatic testers'?) Microsoft laid off a lot of their programmatic testers and have put much more of the testing on the developers themselves. Just like novelists and newspaper reporters (at least the *good* newspapers!) hire editors to go over their writing to check for grammar and various other issues with their writing so as to bring in a fresh pair of eyes to the situation, programming code also needs someone else (who didn't write the code) to check it over. This last step was done away with internal to Microsoft and that job has been put into the hands of the same people writing the code. Has this caused software quality to drop? Oh hell yeah!


Bill_Bright said:


> I personally know of no system ever "bricked" by a WU.


Then you really need to talk to some of your IT buddies because I'm damn sure you'll hear horror stories.


----------



## R-T-B (May 17, 2019)

Bill_Bright said:


> I ask again? What do you expect? How do you change the coding of a processor already out in the field - coding that is basically hardwired in there by the default "quiescent" state of the gates?



Microcode.  But even that has rather immense limits...  just pointing it out.  It's the best approach, albeit, pretty tough to manage.

I've built a name for myself around my understanding of UEFI, microcode, and my ability to reverse engineer things.  So while I am hardly an expert (someone who reverse engineers never is), I can say the timeframe is quite plausible.



trparky said:


> Then you really need to talk to some of your IE buddies because I'm damn sure you'll hear horror stories.



The only brick-like update I'm aware of related to Surface tablet, gen 1 hardware.  And a bootloop is not a brick, mind you.


----------



## trparky (May 17, 2019)

R-T-B said:


> And a bootloop is not a brick, mind you.


To your average user who doesn't know jack about computers, they might think of it as such.


----------



## R-T-B (May 17, 2019)

er557 said:


> I have all mitigations enabled and secure on haswell-ep, latest updates and microcode, hyperthreading enabled, I see no performance impact whatsoever, storage or cpu.
> win 1903 has retpoline system to prevent performance impact from mitigations. In fact, my benchmarks are higher...



Retpoline has been used in linux for a bit now and is pretty ingenius.  Needs to be deployed widely asap.



trparky said:


> To your average user who doesn't know jack about computers, they might think of it as such.



Doesn't change the definition though.

I agree Windows 10 quality of updates has suffered dramatically though.  In order to rehire quality testers though, be prepared to pay full upgrade price every 2 years again.



trparky said:


> Trusted Computing Platform



This is part of Trusted Computing Group, still exists, and is unrelated to Microsoft.

They do things like TPM, Opal, and related standards.


----------



## trparky (May 17, 2019)

R-T-B said:


> In order to rehire quality testers though, be prepared to pay full upgrade price every 2 years again.


If that means that we get better quality software and where patches don't send our systems into BSODs then that's money well spent. Sometimes you have to pay for quality.

Think about it this way... Windows 10 was given away for free for the first year (officially). Unofficially that free upgrade is still going on. So with Windows 10 being given away for free, one has to wonder what that's done to the Windows Development Department's budget. I can't imagine the hit was very good.


----------



## R-T-B (May 17, 2019)

trparky said:


> If that means that we get better quality software and where patches don't send our systems into BSODs then that's money well spent. Sometimes you have to pay for quality.



I ageee on a personal basis, but that only works if everyone agrees.  In todays "free app (ad supported)" world I am unsure it would sustain Microsoft honestly.



trparky said:


> I can't imagine the hit was very good.



Me neither.  I picture they are running on scraps from upper departments.


----------



## trparky (May 17, 2019)

R-T-B said:


> I agree on a personal basis, but that only works if everyone agrees.  In today's "free app" world I am unsure it would sustain Microsoft honestly.


Don't get me started on the whole "free app" phenomenon. There's a reason why it's free, this is what people don't understand. Facebook can function for free because *they sell your data*. Gmail is free because *they sell your data*. It comes down to something that's said in some circles... If something is free, *YOU are the product!*


R-T-B said:


> Me neither.  I picture they are running on scraps from upper departments.


Yeah, and that's scary.


----------



## Bill_Bright (May 17, 2019)

trparky is still ranting about MS. 


			
				Bill_Bright said:
			
		

> I personally know of no system ever "bricked" by a WU.





			
				trparky said:
			
		

> Then you really need to talk to some of your IT buddies because I'm damn sure you'll hear horror stories.


As I said, I "personally" know of no system. As for my buddies - we consult with each other often and again, I know of no others that were "bricked". Maybe you don't have a good understanding of what bricked means but it does not matter. That is not the point of this thread and it is not your thread so I am done discussing it with you.


----------



## trparky (May 17, 2019)

Then this part of this thread needs to be spliced out into its own thread. And as far as ranting about Microsoft, they damn well deserve it! I may have not had any problems but that doesn't take away from the fact that if you go do a Google search about such and such KB article update causing issues you won't have to go very far past the first page worth of search results.

But again, this needs a different thread and I call upon a moderator to splice the parts out and we can continue to discussion there.


----------



## Metroid (Jun 13, 2019)

The best thing to do here is ignore intel and all the crap, do not disable smt, but first before you do all that, make sure you never use that computer for any online banking or transactions.


----------



## trparky (Jun 13, 2019)

chrispeddler said:


> is it the Intel that causes the vulnerabilities


Intel. Their processor designs caused the vulnerabilities.


----------



## Bill_Bright (Jun 13, 2019)

Metroid said:


> The best thing to do here is ignore intel and all the crap, do not disable smt, but first before you do all that, make sure you never use that computer for any online banking or transactions.


 This is really lousy and clearly biased, fear mongering advice!

You can safely and confidently use your Intel based computer for anything you want, including banking. I just this morning transferred funds from one bank to another, then transferred more  funds from one bank into my PayPal account, then sent some $$ from my PayPal account to my son with NO reservations, fears, or concerns a bad guy will compromise my computer or any of my bank accounts. You can too.

All you need to do is keep Windows updated, use and keep current a decent anti-malware solution (I use Windows Defender along with Malwarebytes on all systems here) and don't be "click-happy" on unsolicited links, popups, downloads, and attachments - the exact same precautions you must do if you have an AMD based computer.

Just because a vulnerability exists, that, IN NO WAY, means it is exposed to bad guys or that they could exploit it.

If Intel processors were as unsafe as Metroid wants you to believe, where are all the 100s of millions infected Intel computers that must be out there?



John Naylor said:


> I have yet to find and keep asking for links to a "look what happend here" story related to these vulnabilities. None so far.


Here is it a month after John Naylor made that statement on page 1 of this thread and still there are no reports of a single Intel based machine being infected through one of these vulnerabilities. Not one!



chrispeddler said:


> Newbie techie here. I'm a bit confused....is it the Intel that causes the vulnerabilities or is it Microsoft? If it's Microsoft OS, then I might switch to Mac or Linux? Any advice?


Kudos to you, Chris for being wise and reaching out and asking questions. Just note it is very important to do your homework and research ALL the facts before coming to any conclusions and to ignore the extremist advice from those who clearly have not their homework. Use Bing Google yourself. Do you see where Intel users are being infected due to these vulnerabilities? I don't see it. And why is that? Because updated operating systems and anti-malware program developers, as well as firmware updates have all addressed these problems. So again, if you keep your OS and security updated, and don't be click happy, you are just fine using your Intel based computer for any purpose.

And for the record, AMD processors are not immune to exploitable vulnerabilities either. Examples include those reported here and as reported by AMD themselves.

Note this Apple report from The Guardian where it says, 





> Apple’s iPhones, iPads and Mac computers are all vulnerable to the major processor flaws ... updates are already available.
> 
> The flaws known as Meltdown and Spectre affect almost every modern computing device from all manufacturers using chip designs from Intel, AMD and ARM.


Does that mean we should avoid all computing devices? That would be as ridiculous as the advice to avoid banking with Intel was.


----------



## Metroid (Jun 13, 2019)

Bill_Bright said:


> If Intel processors were as unsafe as Metroid wants you to believe, where are all the 100s of millions infected Intel computers that must be out there?



Sorry for not clearing it up, to me is not about a processor per se, is more about the whole package, as long as you have something that can be used to exploit something from you in any way, remember that nothing is 100% safe unless in intranet where there is no internet connection, my point is as long as you have internet connection in your device then that device is not safe anymore, that is not fear mongering, that is just a warning that if you want to be 100% safe then do it physically. I myself never use online banking or transactions.


----------



## R-T-B (Jun 13, 2019)

Bill_Bright said:


> Here is it a month after John Naylor made that statement on page 1 of this thread and still there are no reports of a single Intel based machine being infected through one of these vulnerabilities. Not one!



Considering by their nature infection vector would be untracable, you'll never get one either.  It'd fall under generic "infected by malware"



Metroid said:


> Sorry for not clearing it up, to me is not about a processor per se, is more about the whole package, as long as you have something that can be used to exploit something from you in any way, remember that nothing is 100% safe unless in intranet where there is no internet connection, my point is as long as you have internet connection in your device then that device is not safe anymore, that is not fear mongering, that is just a warning that if you want to be 100% safe then do it physically. I myself never use online banking or transactions.



I find that overly cautious to the point of paranoia, but you are indeed correct, it is the safest.


----------



## Bill_Bright (Jun 13, 2019)

Metroid said:


> my point is as long as you have internet connection in your device then that device is not safe anymore, that is not fear mongering


But that applies to any device, regardless the brand name on the processor. 

I appreciate you now saying it is not about the processor, but  that is totally different from what you said earlier where you told readers specifically to "ignore Intel" and "never use" that Intel computer for online banking.  That was fear mongering and simply bad advice.

And frankly, even your comment now is incorrect. To claim you are unsafe if you have an Internet connection is wrong. Yes, if you have internet access, your computer is exposed, but that IN NO WAY means you are unsafe. It is easy to secure your computing device and make it safe. With W10, it is almost effortless - if you leave the defaults alone and pay attention to what you click on. To suggest otherwise is spewing misinformation, if not fear-mongering. 

There is no way to be 100% safe regardless how you connect to the internet. If a professional and determined bad guy is out to get you personally, they can do it. Just as a determined bad guy can break into your home regardless how many locks you have or the sophistication of your security system. But when it comes to private citizens, bad guys are lazy  opportunists. They go for the low hanging fruit. If they can't trick you into clicking on a malicious link (and every processor brand is vulnerable to that), they are not going to waste their time trying to hack through your wireless network, your router, your computer's local firewall, your security and the OS itself to plant malicious code on your system that then must deploy its payload and then do its dirty deed - without being detected. If they see any resistance, they are going to move on to easier pickings; to the person still using XP, or to the person who has failed to keep their OS and security updated. 

In no way am I saying these vulnerabilities are minor and can be ignored. But these exaggerated, knee jerk comments, advice and suggestions are simply irrational and fear mongering BS.


R-T-B said:


> Considering by their nature infection vector would be untracable, you'll never get one either. It'd fall under generic "infected by malware"


More bullfeathers! The careless and/or ignorant user who fails to properly keep his or her computer and security system updated would not know how their system got infected - though surely they would blame Microsoft or Intel. But there are 1000s of professional security analyst around the globe right now scouring the malicious code that is out in the wild who would know. Where are their reports? And there 1000s more professionals who analyze and repair infected systems who can tell if a system was patched or not, and who could identify the malware as one designed to exploit those processor vulnerabilities. Where are their reports? They aren't out there because this just is not the problem the alarmists want everyone to believe. 

Yes, the vulnerabilities are real. And yes they are bad. But they are NOT being exploited as you and others seem to believe and want everyone else to believe.


----------



## Metroid (Jun 13, 2019)

Bill_Bright said:


> But that applies to any device, regardless the brand name on the processor.
> 
> I appreciate you now saying it is not about the processor, but  that is totally different from what you said earlier where you told readers specifically to "ignore Intel" and "never use" that Intel computer for online banking.  That was fear mongering and simply bad advice.
> 
> And frankly, even your comment now is incorrect. To claim you are unsafe if you have an Internet connection is wrong. Yes, if you have internet access, your computer is exposed, but that IN NO WAY means you are unsafe. It is easy to secure your computing device and make it safe. With W10, it is almost effortless - if you leave the defaults alone and pay attention to what you click on. To suggest otherwise is spewing misinformation, if not fear-mongering.



Agreed, regarding when I said "ignore intel", I meant ignore their warning as they were the one who supposed recommended disabling smt, now is up for the people if they want to follow that recommendation or not, I would not disable because my computer is not used for online banking or transactions, some people will do.

And there is another funny thing happened to me some weeks ago, I received an email saying somebody got all the data I have and know all my passwords and they wanted money for that, I dont use my computer for anything other than browsing and gaming and as I said I never do online banking or transactions and a rarely click in unknown websites and i have all the protection you can think of to block any incoming or outgoing connection or backdoor and yet this email asking for money had a known password of mine, long story short, i have all possible measures and countermeasures and yet somehow somebody got hold of a known password of mine, how did he do, who knows. Even though I have a computer science degree and almost 25 years experience in the area. Now imagine an average joe hehe, so like I said before want something 100% secure, remove your ethernet cable from your computer, now, if you just do like I do browsing and gaming where the internet connection is enabled then follow simple procedures for example, never online banking or transactions, 2fa is a possibility but make sure your mobile is not connected to the same network you complete a known transaction.

I have other computers that I use for work and those don't have internet connection for counter measure.


----------



## Bill_Bright (Jun 13, 2019)

Metroid said:


> Agreed, regarding when I said "ignore intel", I meant ignore their warning as they were the one who supposed recommended disabling smt


Okay, I appreciate you saying that - but that was over a year ago!

As for someone getting your password, no surprise there. Companies are being hacked almost on a daily basis. If you ever had a Yahoo account, that password was stolen. And sadly, many of these companies are totally negligent by failing to keep their networks fully patched and secure. I mean if you look at the HUGE Equifax hack, not only did they fail to apply available (for months!) patches that would have prevented the hack in the first place, the very-personal data that was exposed was not even encrypted.   IMO, someone should be held criminally negligent on this and many other hacks.

I've been accused of being overly paranoid because I refuse to do any online banking through my cell phone because I don't trust that system (or cell phone carriers) to keep my data safe. But I am confident a PC, especially a Ethernet connected PC, can be used safely for online banking and other sensitive tasks - regardless the brand name on the processor.


----------



## Metroid (Jun 13, 2019)

Bill_Bright said:


> Okay, I appreciate you saying that - but that was over a year ago!
> 
> As for someone getting your password, no surprise there. Companies are being hacked almost on a daily basis. If you ever had a Yahoo account, that password was stolen. And sadly, many of these companies are totally negligent by failing to keep their networks fully patched and secure. I mean if you look at the HUGE Equifax hack, not only did they fail to apply available (for months!) patches that would have prevented the hack in the first place, the very-personal data that was exposed was not even encrypted.   IMO, someone should be held criminally negligent on this and many other hacks.
> 
> I've been accused of being overly paranoid because I refuse to do any online banking through my cell phone because I don't trust that system (or cell phone carriers) to keep my data safe. But I am confident a PC, especially a Ethernet connected PC, can be used safely for online banking and other sensitive tasks - regardless the brand name on the processor.



I guess we have always been paranoid at some time, I'm no different, I was once very paranoid but if you follow simple steps then you dont need to be paranoid anymore when it comes to internet security. Hackers can steal anything from me, nothing they get from me will ever send me to jail or compromise me in anyway. That email I got from the supposed hacker, I simply ignored because I have nothing to lose, same thing if i had an intel cpu hehe, dont disable smt, enjoy 4 more threads and life goes on.

Well files from work and other things in computers with no connection, so those files they will never get from me hehe


----------



## Vayra86 (Jun 13, 2019)

Chomiq said:


> What they need to do is to hire an actual QA team instead of using users to beta test their updates.



Its already been proven long ago that big data and the size of your test set is the most effective part of testing. This is also why we run regression tests - automated, would-be user interactions can run all day and night.

People act like one test method excludes the others... even MS isnt that silly or arrogant. When you get an insider build it has already been vetted in some way. Public beta is on top of that.

I think people fail to appreciate that MS employs some of the better programming talent in the world. W10 is a pretty impressive OS if you get the scope of it and its backwards compatibility. 



Bill_Bright said:


> But that applies to any device, regardless the brand name on the processor.
> 
> I appreciate you now saying it is not about the processor, but  that is totally different from what you said earlier where you told readers specifically to "ignore Intel" and "never use" that Intel computer for online banking.  That was fear mongering and simply bad advice.
> 
> ...



Go get em Bill. The amount of unsubstantiated BS in this topic is bizarre.


----------



## juiseman (Jun 13, 2019)

I use online banking on a daily basis also.
Don't really give it much thought usually. 
  usually don't have much in there to steal. lol...

So, not too worried there.

But; in my view nothing is 100% secure....
If someone want's something bad enough;
They will find a way.

The only thing I do that is extra cautious is I only have 
pay pal linked to my credit card. So its like a triple
secured way to buy things online. You have then 3 layers 
of security. Pay pal, then Visa then your bank.
I money goes missing or unauthorized purchases happen;
The chances of getting your money back are way better.

Its much easier to get your money stolen through skimming 
at gas Pumps. Happen to me 2 times in 6 moths, 2 diff places,
2 different cards. Visa notified me within min. of it happening.
And on the other card, A (pay pal Debit) Pay Pal reversed it 
and also both got my money back.

So, now I only use Credit cards or cash at gas stations &
try to use the Pumps closest to the clerk if I can. Since its
probably harder to tamper with the gas pump card reader
in plane sight unless the employees were in on it (which is more
probable.) 

I think its best to split up your funds in several stash spots;
Like different banks, different local places (house) or on person
or if your into investing; maybe several different securities and such.

Maybe I'm OSD, but that's what I would do....


----------



## trparky (Jun 13, 2019)

Bill_Bright said:


> someone should be held criminally negligent


And yet nobody was found to be criminally negligent when it comes to the Equifax hack. All we got out of the whole damn fiasco was a free year of credit monitoring. Oy.

I'm still pissed about that shit.


----------



## biffzinker (Jun 13, 2019)

juiseman said:


> Its much easier to get your money stolen through skimming
> at gas Pumps.


The recent smart chip on a credit card is suppose to prevent the old way of skimming via mag strip.


----------



## trparky (Jun 13, 2019)

biffzinker said:


> The recent smart chip on a credit card is suppose to prevent the old way of skimming via mag strip.


And I've heard of ways to hack that too. About the only way that I figure using your credit card from now on is to use some form of NFC payment such as Google, Samsung, or Apple Pay in which a one-time use randomly generated credit card number (sometimes referred to as tokenized payments) is sent to the retailer. Your real credit card number is never sent.

Oh, and have your bank send you a notification for every single payment ever made on your cards that way if you suddenly get a notification completely out of the blue for no reason you can follow up on the fraudulent charge very quickly.


----------



## Bill_Bright (Jun 13, 2019)

Metroid said:


> but if you follow simple steps then you dont need to be paranoid anymore when it comes to internet security.


Exactly! Thanks for saying what I've been saying all along.


Vayra86 said:


> Its already been proven long ago that big data and the size of your test set is the most effective part of testing.


Right. I used to work in large software development company. We had 400 developers at my location. Before a new release, everyone - including those of us in hardware support - became "in house" beta testers. And we really worked hard trying to break and abuse, use and misuse the software every way possible in an attempt to find every bug. But still when the software hit the field and 1000s of users started using it, the occasional bug would still appear. And for our product, it all ran on specifically configured hardware we managed too - in tightly controlled software environments. That is, no unauthorized software went on those systems.

Virtually every single one of the 700 million+ W10 machines are uniquely configured in both the hardware and software.


----------



## Steevo (Jun 13, 2019)

Bill_Bright said:


> And how is that different from any other malicious activity? Why would you assume all your other security measures have been compromised? Do you feel your router has been compromised? Do you assume your anti-malware solution will not detect any suspicious activity? Do you leave your computer unattended at a public library where anyone can gain physical access to it?
> 
> You are much more likely to find your info on the dark web because your bank, Yahoo, The Home Depot, Equifax or Facebook were hacked - again - due to the lackadaisical incompetence of the IT administrators and/or CIOs and CSOs.



It's those servers running Intel hardware in the cloud that allow these hacks and our information out. Not sure what the confusion is, Intel has a large margin of server hardware worldwide and their hardware is leaky. 

It can be end users as well, but why Rob the individual when thousands can be taken?


----------



## Bill_Bright (Jun 13, 2019)

Steevo said:


> It can be end users as well, but why Rob the individual when thousands can be taken?


Which is one of the main reasons why so many bad guys are concentrating on corporations instead of individuals. The other main reason is home computers, especially those running W10, and home networks are inherently more secure these days. The payoff to spend the extra effort hacking into a home computer is just too little to make it worthwhile for them.


Steevo said:


> and their hardware is leaky.


While that may be true, "leaky" still does not automatically imply "exposed". If one of those cloud/corporate networks is successfully breached, and one of those severs is successfully hacked and one of those Intel processor vulnerabilities is successfully exploited, and the compromised data is successfully captured by a badguy, it is because someone responsible for that IT support failed to do his or her job. 



trparky said:


> Oh, and have your bank send you a notification for every single payment ever made on your cards that way if you suddenly get a notification completely out of the blue for no reason you can follow up on the fraudulent charge very quickly.


I love this feature. Don't get me started on Wells Fargo but suffice it to say I still use them for my primary checking account. I set up an alert for any draft on my account greater than $1.00. If I use my debit card to buy something from Amazon or Newegg, as examples, I typically get an email notice from Wells Fargo before I get notice from Amazon or Newegg. 

Note sure why they call it a "checking" account. I think its been 3 years since I actually wrote a check!


----------



## trparky (Jun 13, 2019)

Bill_Bright said:


> I love this feature. Don't get me started on Wells Fargo but suffice it to say I still use them for my primary checking account. I set up an alert for any draft on my account greater than $1.00. If I use my debit card to buy something from Amazon or Newegg, as examples, I typically get an email notice from Wells Fargo before I get notice from Amazon or Newegg.


I have my bank send me a notification on my iPhone for my debit and credit card. Within ten seconds of a charge on the card, I get a notification on my iPhone indicating the dollar amount and the merchant that performed the transaction. Even though my bank (a credit union) probably has the most paranoid anti-fraud departments in the industry I still don't want to take the chance.


----------



## Bill_Bright (Jun 13, 2019)

trparky said:


> Even though my bank (a credit union) probably has the most paranoid anti-fraud departments in the industry I still don't want to take the chance.


But they probably would not suspect a charge of $60 at Walmart or $100 at Costco. But you would.


----------



## trparky (Jun 13, 2019)

Bill_Bright said:


> But they probably would not suspect a charge of $60 at Walmart or $100 at Costco. But you would.


Probably not, hence the notifications.


----------



## Bill_Bright (Jun 13, 2019)

I take it back for Costco. Since, like Sams, you have to scan your membership card before each purchase (even when paying with a bank card) someone would have to be really dumb to use a stolen bank card there.


----------



## biffzinker (Jun 13, 2019)

Bill_Bright said:


> I take it back for Costco. Since, like Sams, you have to scan your membership card before each purchase (even when paying with a bank card) someone would have to be really dumb to use a stolen bank card there.


With smart chips on payment cards now anyone can use your card as a credit payment, and a lot businesses migrated to no signature required for credit. Not to mention the cashiers don't verify the name or picture on the payment card.


----------



## trparky (Jun 13, 2019)

biffzinker said:


> With smart chips on payment cards now anyone can use your card as a credit payment, and a lot businesses migrated to no signature required for credit.


And this is the biggest reason why credit card fraud in the United States is higher than anywhere else in the world. I remember reading somewhere that the United States represents somewhere around 35% of the world's credit card transactions but we also represent 75% of the world's credit card fraud. Why? Because there's literally no verification in the US (chip-and-sign, or should I say chip-and-nothing) to make sure that the person using the card is supposed to be using the card unlike in Europe where it's chip-and-PIN.


----------



## lexluthermiester (Jun 13, 2019)

trparky said:


> Europe where it's chip-and-PIN.


Everywhere I go, it's chip and pin now. There are a few places that are still converting over but most have already. But we're off topic and I digress..


----------



## biffzinker (Jun 13, 2019)

trparky said:


> it's chip-and-PIN.


Still is for debit but it does nothing when your allowed to bypass entering a pin, and instead are allowed credit with nothing else required.


----------



## Bill_Bright (Jun 13, 2019)

biffzinker said:


> Not to mention the cashiers don't verify the name or picture on the payment card.


I thought I was clear - guess I was not. Remember, trparky was talking about his credit union debit card and I was talking about my bank debit card. And my comment - which you quoted - was talking about using them at Costco or Sam's. For those not familiar, you have to be a member to shop at Costco or Sam's.

Yes, if someone gets your Costco or Sam's Club card, they can use it at Costco or Sam's Club. And both those places (at least around here) have self-checkouts so no clerks involved. But those cards can't be used anywhere else but at Costco or Sams. Pretty sure you can't even use your Sam's card at Walmart.

My point was if your Credit Union Visa Debit or Bank MasterCard Debit was stolen and the card thief tried to use it at Costco or Sams, they would have to scan a valid Costco or Sams card with it to make any purchases. If they used their own Costco or Sam's card with your stolen Visa or MC debit card, that would be dumb as they would likely get caught.


----------



## trparky (Jun 13, 2019)

biffzinker said:


> instead are allowed credit with nothing else required


And that's why credit card fraud is so high. In Europe it's chip-and-PIN for both credit and debit modes, in the US there's no such thing. Don't want to put your PIN in or you forgot it? Just press the green button and it'll go through.


----------



## Bill_Bright (Jun 13, 2019)

trparky said:


> in the US there's no such thing.


Well that's not true. While it may not be universally enforced, it is widely applied and I think getting there. The problem is, it is the merchant who must expend the resources (read: $$$) to implement the necessary tools to prevent such fraud. Not the credit card issuers. The banks, once again (with the help of no regulation ), have set themselves up to reap the profits while the little guy (consumers and small businesses) carry the majority of the burden.


----------



## R-T-B (Jun 14, 2019)

Bill_Bright said:


> More bullfeathers! The careless and/or ignorant user who fails to properly keep his or her computer and security system updated would not know how their system got infected - though surely they would blame Microsoft or Intel. But there are 1000s of professional security analyst around the globe right now scouring the malicious code that is out in the wild who would know.



No, because you can't trust what the hardware of an infected system tells you.  Knowing malicious code is out there is not a case of confirming an active operating infection based on a hardware-level vulnerability.  You are unlikely to ever get that (though you may with very advanced tools in a lab setting, but that doesn't really count).  Thus, my point.



Vayra86 said:


> Go get em Bill. The amount of unsubstantiated BS in this topic is bizarre.



True but, being a operating professional in this field, it's not coming from me.


----------



## juiseman (Jun 14, 2019)

biffzinker said:


> The recent smart chip on a credit card is suppose to prevent the old way of skimming via mag strip.



But the gas pumps are all still mag strip readers as far as I know.
At least in my part of the world.....


----------



## Bill_Bright (Jun 14, 2019)

R-T-B said:


> No, because you can't trust what the hardware of an infected system tells you. Knowing malicious code is out there is not a case of confirming an active operating infection based on a hardware-level vulnerability. You are unlikely to ever get that (though you may with very advanced tools in a lab setting, but that doesn't really count). Thus, my point.


Yes. 

Did you read what I said and what you quoted? Apparently not.  I agreed with you that the less experienced (and careless/ignorant) would not know how their system got infected. But (and you just agreed with this!  ) the well equipped professional would. So "yes".

And of course what the professional sees in their well equipped labs counts! You can't dismiss facts you don't like just because they show how incorrect your BS is!   How do you think the anti-malware industry discovers new malware? They use, among other techniques, honeypots to capture new code for analysis so they can create definition files and other detection methods block such malware. So of course the use of advanced tools in a lab setting counts.



R-T-B said:


> True but, being a operating professional in this field, it's not coming from me.


Yes it is. You may be an OS professional but that does not qualify you as being a malware or hardware or CPU vulnerability professional. 

You made a blanket statement saying malware that came via one of these Intel CPU vulnerabilities would _"be untraceable"_.  Like all blanket statements, that is wrong, thus BS coming from you! You also claimed there will "_never_" be a report of such an infection. Another blanket statement for more BS. Professional labs (which do indeed count!) and "white hats" have already reported there are several 100 pieces of malware out in the wild that are designed to exploit these vulnerabilities. But there is yet to be any report of any of those being successful at penetrating all a computer's defenses and succeeding at exploiting one of those vulnerabilities. 

Will we see such a report? I can't foretell the future and neither can you! That's the point! But I sure suspect if/when such malware infections are discovered, it will be reported simply because the IT press loves to report bad news, and there are many AMD fans who will parrot those reports - for years to come. 

And yes, I am fully cognizant of the irony in stating "all blanket statements are wrong". 



juiseman said:


> But the gas pumps are all still mag strip readers as far as I know.
> At least in my part of the world.....


A new station in my area was just built and it has a chip reader. Where I normally get my gas, they just put in all new pumps but they use strip readers. However, you have to enter the zip code tied to the billing information for that card to proceed. I know two people who have had their wallets stolen. Both were recovered with their driver's licenses still in the wallets. Only the cash and credit cards were stolen. So unless the bad guy memorized the zip code from the license before tossing the wallets, they at least could not use one of those cards to buy gas at those pumps.


----------



## R-T-B (Jun 14, 2019)

Bill, slow down and take a breather.  I said I DOUBTED we would ever see such a report, not that it is strictly impossible.  There is no need to get worked up like that over an opinion / prediction on my part based on the traits of the problem.

EDIT:

It would seem I did indeed use an absolute.  I assumed otherwise but obviously you are right.  I recant.  I can only defend my statement as a "doubt you'll see it scenario" not an absolute.

Sincere apologies for the confusion.  Wording does indeed matter.



Bill_Bright said:


> You made a blanket statement



Indeed and I was operating on the premise I could not posdibly be that foolish.  Like all blanket statements, that was wrong.  



Bill_Bright said:


> You may be an OS professional



I'm a little more than that, bears saying.  I am a UEFI reverse engineer and skilled malware analyst that in the last years has actually made that his primary business (easier than Journalism, less people and more code lol).


----------



## Bill_Bright (Jun 14, 2019)

I am not worked up. I am just trying to stop the BS so readers don't get blasted with a bunch of falsehoods and misinformation about safety and security when using Intel processors. This is a technical forum and presented "facts" should be technically correct - regardless how our personal opinions shape our biases.



R-T-B said:


> EDIT:
> 
> It would seem I did indeed use an absolute. I assumed otherwise but obviously you are right. I recant. I can only defend my statement as a "doubt you'll see it scenario" not an absolute.
> 
> Sincere apologies for the confusion.


 Thanks for this.

My personal opinion is that we will see such a report *IF* an infected machine is discovered to have been infected by malware designed to exploit one of those vulnerabilities. Why wouldn't it be? That type information is exactly the type shared among the anti-malware industry so it can be thwarted on a global basis. That's what the VIA is all about.

So why will there be such a report? Because some code is going to have to sneak past all security coming in, reach directly into the CPU and exploit the vulnerability, grab the data exposed by that vulnerability, then sneak back out. And you are suggesting that can be done - especially on a fully patched and updated computer - without leaving any trace for a malware professional in their labs to find? I don't think so. In fact, I am sure of it.


----------



## R-T-B (Jun 14, 2019)

Bill_Bright said:


> Thanks for this.



No prob.  It's important to acknowledge when you're wrong too...  but brains are tricky!  They require you recognize that first.


----------



## Bill_Bright (Jun 14, 2019)

R-T-B said:


> It's important to acknowledge when your wrong too...


Not just important for the obvious technical reasons - but for the character admitting a mistake demonstrates. That character garners much more respect from me than just about anything else!


----------

