• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

New "Spectre" Variant Hits Intel CPUs, Company Promises Quarterly Microcode Updates

Joined
Aug 6, 2017
Messages
7,412 (2.75/day)
Location
Poland
System Name Purple rain
Processor 10.5 thousand 4.2G 1.1v
Motherboard Zee 490 Aorus Elite
Cooling Noctua D15S
Memory 16GB 4133 CL16-16-16-31 Viper Steel
Video Card(s) RTX 2070 Super Gaming X Trio
Storage SU900 128,8200Pro 1TB,850 Pro 512+256+256,860 Evo 500,XPG950 480, Skyhawk 2TB
Display(s) Acer XB241YU+Dell S2716DG
Case P600S Silent w. Alpenfohn wing boost 3 ARGBT+ fans
Audio Device(s) K612 Pro w. FiiO E10k DAC,W830BT wireless
Power Supply Superflower Leadex Gold 850W
Mouse G903 lightspeed+powerplay,G403 wireless + Steelseries DeX + Roccat rest
Keyboard HyperX Alloy SilverSpeed (w.HyperX wrist rest),Razer Deathstalker
Software Windows 10
Benchmark Scores A LOT
Yes, when you move between CCXs there's a difference, but especially with Ryzen 2, users won't see any difference at all until they move beyond 4 cores for a task.
Why then would I buy a 6/8 core CPU if I don't want to run +4 core tasks ?
 
Joined
Apr 12, 2013
Messages
7,563 (1.77/day)
Why then would I buy a 6/8 core CPU if I don't want to run +4 core tasks ?
There's always the possibility that the next revision/iteration of CCX will have 6/8 native cores, without it how do you suppose they'll get to 48/64 EPYC cores? In fact it's virtually certain atm, hence the biggest threat in a gen to Intel will be coming as Zen2 or whatever it's called. Say buh-bye to inter CCX latency, though you'll probably have to buy an APU for that.
 
Joined
Mar 6, 2017
Messages
3,358 (1.18/day)
Location
North East Ohio, USA
System Name My Ryzen 7 7700X Super Computer
Processor AMD Ryzen 7 7700X
Motherboard Gigabyte B650 Aorus Elite AX
Cooling DeepCool AK620 with Arctic Silver 5
Memory 2x16GB G.Skill Trident Z5 NEO DDR5 EXPO (CL30)
Video Card(s) XFX AMD Radeon RX 7900 GRE
Storage Samsung 980 EVO 1 TB NVMe SSD (System Drive), Samsung 970 EVO 500 GB NVMe SSD (Game Drive)
Display(s) Acer Nitro XV272U (DisplayPort) and Acer Nitro XV270U (DisplayPort)
Case Lian Li LANCOOL II MESH C
Audio Device(s) On-Board Sound / Sony WH-XB910N Bluetooth Headphones
Power Supply MSI A850GF
Mouse Logitech M705
Keyboard Steelseries
Software Windows 11 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
Joined
Aug 6, 2017
Messages
7,412 (2.75/day)
Location
Poland
System Name Purple rain
Processor 10.5 thousand 4.2G 1.1v
Motherboard Zee 490 Aorus Elite
Cooling Noctua D15S
Memory 16GB 4133 CL16-16-16-31 Viper Steel
Video Card(s) RTX 2070 Super Gaming X Trio
Storage SU900 128,8200Pro 1TB,850 Pro 512+256+256,860 Evo 500,XPG950 480, Skyhawk 2TB
Display(s) Acer XB241YU+Dell S2716DG
Case P600S Silent w. Alpenfohn wing boost 3 ARGBT+ fans
Audio Device(s) K612 Pro w. FiiO E10k DAC,W830BT wireless
Power Supply Superflower Leadex Gold 850W
Mouse G903 lightspeed+powerplay,G403 wireless + Steelseries DeX + Roccat rest
Keyboard HyperX Alloy SilverSpeed (w.HyperX wrist rest),Razer Deathstalker
Software Windows 10
Benchmark Scores A LOT
There's always the possibility that the next revision/iteration of CCX will have 6/8 native cores, without it how do you suppose they'll get to 48/64 EPYC cores? In fact it's virtually certain atm, hence the biggest threat in a gen to Intel will be coming as Zen2 or whatever it's called. Say buh-bye to inter CCX latency, though you'll probably have to buy an APU for that.
The way they make those is disable 1/2 cores on the ccx, 4 core ryzens still have 2 ccx units.
 
Joined
Apr 12, 2013
Messages
7,563 (1.77/day)
The way they make those is disable 1/2 cores on the ccx, 4 core ryzens still have 2 ccx units.
Yes but I'm saying, presumably with the APU, that inter CCX latency could soon be a thing of the past with 6/8 core CCX come Zen2, so it isn't that big of a deal anymore.
 
Joined
Oct 5, 2017
Messages
595 (0.23/day)
The way they make those is disable 1/2 cores on the ccx, 4 core ryzens still have 2 ccx units.
That isn't even slightly what he suggested, don't be obtuse.

What he said was it is possible that EACH CCX on subsequent Ryzen CPUs could easily have 6 or 8 cores, in which case all of those cores would have lower latency than Intel's current architecture does.

Now with that cleared up - the INTER-CCX latency on Ryzen is not an impediment in any practical terms. Yes, when communicating between core 5 and core 4, a Ryzen chip is a number of nanoseconds slower. However so is a higher corecount Intel CPU.

What you are trying to argue is that somehow AMDs use of 4 Core CCXs, two per die, is somehow crippling their performance.

That is an emphatically untrue statement. Benchmark after benchmark after benchmark proves just how fast Ryzen actually is. More to the point - in gaming benchmarks (Which are the ones where this might matter), its already been shown in every benchmark for the last year that AMD simply aren't that far behind Intel. If CCX design was the issue then AMD would not be as close as they are to Intel's single threaded IPC and they also would not be absolutely killing them in multithreaded workloads.

Once again, you are blowing a tiny, completely insignificant part of a much greater whole, well out of proportion in order to make a point that simply isn't backed up by the real world performance of these chips in real world tasks.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
42,632 (6.68/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
Glofo is claiming 5ghz-ish with their 7nm process so I don't see why the tsmc 7nm process should not enable 5ghz-ish for ryzen 3000. I think an overlooked aspect of what AMD has been using process node wise is that its a 14nm samsung node used by Glofo, as far as I know samsung only make mobile centric processors where power efficiency is a premium and clock speed tend to be in the 1ghz to maybe 3ghz range, I dont believe there is a high performance variant of a samsung node just low power, TSMC and Glofo both state they will have both a high performance and low power verison of their 7nm process. This is why I believe the ryzen clock speeds have been lacking but power efficiency has been pretty good. Either way in time it will be revealed.

I support AMD but what does this have to do with Intel? It's off topic.

Lets get back on please.

Now my deal is with these flaws is OUCH!
 
Joined
Sep 15, 2007
Messages
3,946 (0.63/day)
Location
Police/Nanny State of America
Processor OCed 5800X3D
Motherboard Asucks C6H
Cooling Air
Memory 32GB
Video Card(s) OCed 6800XT
Storage NVMees
Display(s) 32" Dull curved 1440
Case Freebie glass idk
Audio Device(s) Sennheiser
Power Supply Don't even remember
Won't happen core vs core

I'd be very happy if Zen 2 reaches 4.5 GHz... The 1700 in my server can't even do 4 GHz stable

You bought a low binned part... And we all know the process target was 3 GHz for mobile. 4+ is quite a feat without huge power demands.
 
Joined
Sep 15, 2011
Messages
6,762 (1.39/day)
Processor Intel® Core™ i7-13700K
Motherboard Gigabyte Z790 Aorus Elite AX
Cooling Noctua NH-D15
Memory 32GB(2x16) DDR5@6600MHz G-Skill Trident Z5
Video Card(s) ZOTAC GAMING GeForce RTX 3080 AMP Holo
Storage 2TB SK Platinum P41 SSD + 4TB SanDisk Ultra SSD + 500GB Samsung 840 EVO SSD
Display(s) Acer Predator X34 3440x1440@100Hz G-Sync
Case NZXT PHANTOM410-BK
Audio Device(s) Creative X-Fi Titanium PCIe
Power Supply Corsair 850W
Mouse Logitech Hero G502 SE
Software Windows 11 Pro - 64bit
Benchmark Scores 30FPS in NFS:Rivals
At this rate, quarterly fixes should have us back to Northwood performance in no time. :rolleyes:
This. If this trend continues, my 3770K CPU will be much faster than the 8700K one, lol .
 
Last edited:
Joined
Dec 30, 2010
Messages
2,200 (0.43/day)
Could people bench the i7 vs bulldozer again? I'm curious how far behind the vishera actually is now with all these patches and fixes that tamper performance one by one.
 
Joined
Jan 31, 2010
Messages
5,560 (1.02/day)
Location
Gougeland (NZ)
System Name Cumquat 2021
Processor AMD RyZen R7 7800X3D
Motherboard Asus Strix X670E - E Gaming WIFI
Cooling Deep Cool LT720 + CM MasterGel Pro TP + Lian Li Uni Fan V2
Memory 32GB GSkill Trident Z5 Neo 6000
Video Card(s) PowerColor HellHound RX7800XT 2550cclk/2450mclk
Storage 1x Adata SX8200PRO NVMe 1TB gen3 x4 1X Samsung 980 Pro NVMe Gen 4 x4 1TB, 12TB of HDD Storage
Display(s) AOC 24G2 IPS 144Hz FreeSync Premium 1920x1080p
Case Lian Li O11D XL ROG edition
Audio Device(s) RX7800XT via HDMI + Pioneer VSX-531 amp Technics 100W 5.1 Speaker set
Power Supply EVGA 1000W G5 Gold
Mouse Logitech G502 Proteus Core Wired
Keyboard Logitech G915 Wireless
Software Windows 11 X64 PRO (build 24H2)
Benchmark Scores it sucks even more less now ;)
This. If this trend continues, my 3770K CPU will be much faster than the 8700K one, lol .

Ah no it wont you'll get Cyrix 5x86 perf while the 8700K will be at Pentium MMX perf LOL
 
Joined
Sep 15, 2011
Messages
6,762 (1.39/day)
Processor Intel® Core™ i7-13700K
Motherboard Gigabyte Z790 Aorus Elite AX
Cooling Noctua NH-D15
Memory 32GB(2x16) DDR5@6600MHz G-Skill Trident Z5
Video Card(s) ZOTAC GAMING GeForce RTX 3080 AMP Holo
Storage 2TB SK Platinum P41 SSD + 4TB SanDisk Ultra SSD + 500GB Samsung 840 EVO SSD
Display(s) Acer Predator X34 3440x1440@100Hz G-Sync
Case NZXT PHANTOM410-BK
Audio Device(s) Creative X-Fi Titanium PCIe
Power Supply Corsair 850W
Mouse Logitech Hero G502 SE
Software Windows 11 Pro - 64bit
Benchmark Scores 30FPS in NFS:Rivals
Ah no it wont you'll get Cyrix 5x86 perf while the 8700K will be at Pentium MMX perf LOL
Well, I'm not silly enough to "patch" bost bios and Win10. Especially that nobody has access to my PC and I never go on shaddy sites. I prefer raw performance over 0.1% increase in Security Risk. Relax.
 
Last edited:
Joined
Jan 15, 2015
Messages
362 (0.10/day)
You don't hear about them because they're not actually AMD specific bugs - They're bugs in ASMedia products that Intel also uses extensively. AMD already patched them, it didn't require Zen 2, and the root of the vulnerability was ASMedia
That was one of the vulnerabilities.

The only reason that they were ever phrased as being solely AMD-relevant was that the company that publicised them, was making an attempt to manipulate AMD stocks.
Ad hom against the messenger won't change the fact that those vulnerabilities existed nor is it a good idea to promote stifling the tech press. Keeping people in the dark about flaws in their products isn't good. It's particularly humorous for people to simultaneously argue that these flaws weren't a big deal and that it was really terrible for CTS to not give AMD executives and other insiders time to dump stock (as Intel's CEO apparently did during the Meltdown/Spectre Google-given period).

Fortunately, most of the tech press spent their time talking about who the fuck CTS labs were, rather than focusing on the "flaws", such as they were.
That's a good idea, since it was clearly CTS that sold consumers products with security flaws.
 
Joined
Sep 15, 2007
Messages
3,946 (0.63/day)
Location
Police/Nanny State of America
Processor OCed 5800X3D
Motherboard Asucks C6H
Cooling Air
Memory 32GB
Video Card(s) OCed 6800XT
Storage NVMees
Display(s) 32" Dull curved 1440
Case Freebie glass idk
Audio Device(s) Sennheiser
Power Supply Don't even remember
That was one of the vulnerabilities.


Ad hom against the messenger won't change the fact that those vulnerabilities existed nor is it a good idea to promote stifling the tech press. Keeping people in the dark about flaws in their products isn't good. It's particularly humorous for people to simultaneously argue that these flaws weren't a big deal and that it was really terrible for CTS to not give AMD executives and other insiders time to dump stock (as Intel's CEO apparently did during the Meltdown/Spectre Google-given period).


That's a good idea, since it was clearly CTS that sold consumers products with security flaws.


I found the guy on the new CTS labs payroll. You're terrible, ban yourself.
 
Joined
Jan 17, 2006
Messages
932 (0.13/day)
Location
Ireland
System Name "Run of the mill" (except GPU)
Processor R9 3900X
Motherboard ASRock X470 Taich Ultimate
Cooling Cryorig (not recommended)
Memory 32GB (2 x 16GB) Team 3200 MT/s, CL14
Video Card(s) Radeon RX6900XT
Storage Samsung 970 Evo plus 1TB NVMe
Display(s) Samsung Q95T
Case Define R5
Audio Device(s) On board
Power Supply Seasonic Prime 1000W
Mouse Roccat Leadr
Keyboard K95 RGB
Software Windows 11 Pro x64, insider preview dev channel
Benchmark Scores #1 worldwide on 3D Mark 99, back in the (P133) days. :)
@RichF IMO you are reading things into what @GlacierNine said, that he didn't say.

My reading of the comment was that the CTS's release was clearly biased (which it was), not defending AMD's actual issues (which appear to now be mitigated).
 

cadaveca

My name is Dave
Joined
Apr 10, 2006
Messages
17,232 (2.52/day)
Love watching the blind lead the blind... and then argue about who sees less. Please continue.

This is but the tip of the iceberg of how these issues will affect users with current and older hardware for years to come. INtel isn't devoting resources like this (quarterly updates) for something that is a small problem. That's the real news here, and unfortunately for AMD fans, they will be just as problematic and anyone thinking that BIOS updates fix physical hardware flaws is hilarious.
 
Joined
Oct 5, 2017
Messages
595 (0.23/day)
Ad hom against the messenger won't change the fact that those vulnerabilities existed nor is it a good idea to promote stifling the tech press. Keeping people in the dark about flaws in their products isn't good. It's particularly humorous for people to simultaneously argue that these flaws weren't a big deal and that it was really terrible for CTS to not give AMD executives and other insiders time to dump stock (as Intel's CEO apparently did during the Meltdown/Spectre Google-given period).
You're displaying a massive non-understanding of why bugs are reported ahead of time to companies and whitepapers released later.

Firstly, it's not "Ad hom" to point out that a companies actions are intended to manipulate stock prices and are for personal benefit. CTS Labs are not a "Messenger" here as much as they are complicit in the actions of a saboteur (Viceroy Research).

Secondly, the reason vulnerabilities aren't released to the public immediately, and are instead given to the manufacturers to provide fixes for ahead of time, is to prevent flaws identified in research from being publicised and potentially exploited before a fix can be provided. It's a mechanism to keep consumers safe. If a fix isn't provided, the bugs are publicised anyway, in order to force complacent or lazy companies to address bugs that have been put into the public domain, rather than allowing them to rely on security-through-obscurity, which is an inherently unsafe practice.

Publishing results to the public immediately, without giving manufacturers time to provide patches or mitigations, makes everyone less safe, since it paints a target on specific products and software, with big red letters for any bad actor to read saying "This product has a vulnerability, can you find it before the vendor patches it?"

I mean, bear in mind here that the people whose practices you're criticising in terms of giving companies time to fix their bugs - those people are also known as "The computer security industry". The Spectre and Meltdown bugs were made public by Project Zero for example - who are part of Google.

Project Zero regularly publishes new research - Including research on NEW security measures implemented by OS vendors, chip makers and software developers, assessing the effectiveness of those measures. - https://googleprojectzero.blogspot.com/

Note that their blog contains many examples of bugs that were fixed before they became public knowledge, due to those practices. This keeps consumers safer and means we're not all constantly panicking about the security vulnerabilities researchers discover.
 
Joined
Jan 17, 2006
Messages
932 (0.13/day)
Location
Ireland
System Name "Run of the mill" (except GPU)
Processor R9 3900X
Motherboard ASRock X470 Taich Ultimate
Cooling Cryorig (not recommended)
Memory 32GB (2 x 16GB) Team 3200 MT/s, CL14
Video Card(s) Radeon RX6900XT
Storage Samsung 970 Evo plus 1TB NVMe
Display(s) Samsung Q95T
Case Define R5
Audio Device(s) On board
Power Supply Seasonic Prime 1000W
Mouse Roccat Leadr
Keyboard K95 RGB
Software Windows 11 Pro x64, insider preview dev channel
Benchmark Scores #1 worldwide on 3D Mark 99, back in the (P133) days. :)
... and anyone thinking that BIOS updates fix physical hardware flaws is hilarious.

Not fix, but they certainly should help mitigate them. Of course if someone has physical access to the machine and can install their own BIOS/UEFI then the machine can be compromised/returned to a flawed state anyway - if someone has that kind of access and is ,malicious then you have other problems too. ;)
 

cadaveca

My name is Dave
Joined
Apr 10, 2006
Messages
17,232 (2.52/day)
Not fix, but they certainly should help mitigate them. Of course if someone has physical access to the machine and can install their own BIOS/UEFI then the machine can be compromised/returned to a flawed state anyway - if someone has that kind of access and is ,malicious then you have other problems too. ;)
you don't need physical access to update a BIOS. Yeah, these bugs are easier to use if you have physical access, but there are far more ways to gain control over a machine FIRST, and then use these exploits, than most want to admit.

And the fixes.. barely affect performance for most users. This whole thing seems vastly misunderstood. Oh well.
 
Joined
Jan 17, 2006
Messages
932 (0.13/day)
Location
Ireland
System Name "Run of the mill" (except GPU)
Processor R9 3900X
Motherboard ASRock X470 Taich Ultimate
Cooling Cryorig (not recommended)
Memory 32GB (2 x 16GB) Team 3200 MT/s, CL14
Video Card(s) Radeon RX6900XT
Storage Samsung 970 Evo plus 1TB NVMe
Display(s) Samsung Q95T
Case Define R5
Audio Device(s) On board
Power Supply Seasonic Prime 1000W
Mouse Roccat Leadr
Keyboard K95 RGB
Software Windows 11 Pro x64, insider preview dev channel
Benchmark Scores #1 worldwide on 3D Mark 99, back in the (P133) days. :)
Perhaps not, but it's certainly much easier to do with physical access.
 
Joined
Jan 15, 2015
Messages
362 (0.10/day)
You're displaying a massive non-understanding of why bugs are reported ahead of time to companies and whitepapers released later.

Firstly, it's not "Ad hom" to point out that a companies actions are intended to manipulate stock prices and are for personal benefit. CTS Labs are not a "Messenger" here as much as they are complicit in the actions of a saboteur (Viceroy Research).

Secondly, the reason vulnerabilities aren't released to the public immediately, and are instead given to the manufacturers to provide fixes for ahead of time, is to prevent flaws identified in research from being publicised and potentially exploited before a fix can be provided. It's a mechanism to keep consumers safe. If a fix isn't provided, the bugs are publicised anyway, in order to force complacent or lazy companies to address bugs that have been put into the public domain, rather than allowing them to rely on security-through-obscurity, which is an inherently unsafe practice.

Publishing results to the public immediately, without giving manufacturers time to provide patches or mitigations, makes everyone less safe, since it paints a target on specific products and software, with big red letters for any bad actor to read saying "This product has a vulnerability, can you find it before the vendor patches it?"

I mean, bear in mind here that the people whose practices you're criticising in terms of giving companies time to fix their bugs - those people are also known as "The computer security industry". The Spectre and Meltdown bugs were made public by Project Zero for example - who are part of Google.

Project Zero regularly publishes new research - Including research on NEW security measures implemented by OS vendors, chip makers and software developers, assessing the effectiveness of those measures. - https://googleprojectzero.blogspot.com/

Note that their blog contains many examples of bugs that were fixed before they became public knowledge, due to those practices. This keeps consumers safer and means we're not all constantly panicking about the security vulnerabilities researchers discover.
1) The period of time Google gave Intel is a long one. Some, such as myself, think it is too long.

2) Regardless of the benefits of muzzling the tech press by withholding information about existing/known vulnerabilities, there are real drawbacks.

3) CTS' motives concerning stocks? How about Intel's CEO selling a lot of shares with insider information, prior to the public exposure of Meltdown and Spectre? One of the real drawbacks of concealing from the public knowledge of the vulnerabilities that are known, and which exist in the products they are using at that very moment, is that insiders can make money with stocks. The stock issue is far less important to me than the security issue, the press freedom issue, and the consumer rights issue.

Consumers have the right to know about the defects in the products they have been sold. Not two weeks from now. Not a month from now. Not two years from now. Immediately.

The responsibility for any fallout from exploitation of those defects rests on the company that sold the consumers the defective products.

CTS pointed out a fact, which is that corporations that are given a lot of time to secretly work on mitigating defects use that time not purely for fixing and working around those defects via technology but also use that time for things like propaganda.

4) "Publishing results to the public immediately, without giving manufacturers time to provide patches or mitigations, makes everyone less safe" This is a common assertion but I have yet to see hard data to support it. "Withholding knowledge from people makes them less safe" is the counterargument.

5) "the people whose practices you're criticising in terms of giving companies time to fix their bugs - those people are also known as 'The computer security industry'". Specific companies like Google are not "The" industry. They are specific corporations with specific profit-seeking practices. They don't own the tech press either.

Google was caught hacking into iOS and OS X to install a payload of spyware. We had better hope that Google does not own the security industry nor the tech press.
 
Joined
Oct 5, 2017
Messages
595 (0.23/day)
A heap of bullshit

1 - You can think that, but deadlines of several months are not in any way unusual, and since the vulnerabilities were quite severe and required a lot of work to fix, it's absolutely sensible to give companies a reasonable amount of time within which to work and release fixes. As shown in that link, if the fixes are not provided, the details are published anyway, and Intel weren't given special treatment over Microsoft, to whom that example link refers. (Project Zero's standard period is 90 days, the same as given to MS and Intel)

2 - Please, by all means, point to the drawbacks you are blindly asserting exist in relation to this process. The only one I can personally think of is that, if a company were intentionally avoiding releasing patches and thus went over the deadline before being forced to make a patch, then the exploit would be patched slightly later than it otherwise would have been. However, this argument doesn't stand up to scrutiny, as a vulnerability NOT disclosed to the wider public is at substantially less risk of being exploited, so the net effect on consumers only even *exists* if a bad actor has already discovered the same vulnerability independently and begun to exploit it. (In which case, the company is solely responsible for not patching an exploit that is being used "in the wild" as it were, in order to protect their users - they should be doing so regardless of any security disclosure.) In such instances, it is the company's fault if, having been informed of the vulnerability, they have not taken steps to patch it. Project Zero would not be accountable for the hubris of a company that did not heed clear warnings, and in instances where a bad actor is not actively exploiting a vulnerability, this practice allows the vulnerability to be patched in advance of any bad actor being given even the slightest clue that it exists.

That practice absolutely keeps users safer, as it often takes more time to fix a vulnerability, than it does to exploit it after being informed of it.

3 - This is simply whataboutery. If anything it simply bolsters my point - CTS had reason to believe that by publishing this information they could force a movement in the stock market - the same one they'd seen Intel's CEO profit from earlier. The mechanics of their short position were slightly different, but this was absolutely their intention. Sure, Intel's CEO did that, and it's wrong that he did so or was able to. But I don't recall ever arguing that he was in the right to do so? If my memory fails me then by all means, point to where I defended his actions re: stock trading.

The second half of this point is simply you attempting, once again, to state (without any evidence to support you) that the industry standard practice of privately disclosing vulnerabilities to be patched before making them public, is somehow inherently flawed. If you genuinely believe that, then once again, you are taking issue with an entire industry's standard practice - A practice CTS labs wilfully ignored despite claiming to have many years of experience, and then defended ignoring with the shamefully ignorant argument of "We didn't think it was possible to patch these vulnerabilities in the time allotted so we went public straight away" - As if somehow that argument doesn't INCREASE the amount of time a bad actor has to find out about and abuse the issues raised, ahead of a fix being provided.

4) This is a stupid argument to be making. This is not difficult - Vulnerabilities are typically easier and quicker to exploit than they are to fix. By not giving manufacturers a headstart on mitigation, you are giving bad actors an extended window within which to work to exploit the issues. On the other hand, a user cannot patch their OS or programs by themselves - if they had the knowledge they were running unsafe software, it wouldn't do them any practical good, because they cannot fix the problems themselves unless they are developers themselves, running OSS they are free to modify themselves, and even then, most wouldn't have the time or skill to fix these issues themselves. What you just provided isn't a counterargument - It's simply a contrary assertion, and one that is contradicted by the practices of the entire InfoSec industry, to boot.

5 - Actually, it is "The industry". All I had to do to find a heap of examples of this happening was search the term "discloses vulnerability".

That brought me to Symantec for example, who followed this practice when helping apple to patch undisclosed vulnerabilities in iOS 11 - http://www.eweek.com/security/symantec-discloses-apple-ios-trustjacking-risks-at-rsa-conference

Duo security even published a table of vendors who they informed and when they subsequently updated after being informed Note that this article was published on 27th Feb, but the companies in the table were mostly notified 24 Jan. - https://www.kb.cert.org/vuls/id/475445

Check Point Software Technologies disclosed a vulnerability to WhatsApp and Telegram on March 7th, both companies developed patches for the issue before it was made public on March 15th. The same article mentions that they disclosed, and whatsapp fixed, another security vulnerability in the same way in 2015. https://blog.checkpoint.com/2017/03/15/check-point-discloses-vulnerability-whatsapp-telegram/

In fact, one of the major criticisms of the NSA after it's tools were leaked online (leading to WannaCry for example), was that these bugs could have been patched BEFORE they were exploited, if the NSA hadn't attempted to hide the vulnerabilities and keep them secret, rather than informing vendors - http://thehill.com/policy/cybersecu...t-vulnerability-connected-to-wanna-cry-report
https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/
https://www.wired.com/2016/08/shadow-brokers-mess-happens-nsa-hoards-zero-days/




You can dress this up all you like - At the end of the day, this is established practice for a reason - The EternalBlue and Wannacry ransomware attacks show exactly what can happen if this practice is disregarded. CTS Labs should have known this if they were anywhere near as experienced or "benevolent" as you are attempting to make out. The fact they disregarded it is proof of either their incompetence, their malice, or their vested interest.
 
Last edited:
Joined
Jan 15, 2015
Messages
362 (0.10/day)
"A heap of bullshit"

When you start a post with insult you don't incentivize the person you're allegedly responding to bother to read your post. Instead, you're just showing off for others. That's not discourse. It starts with the letter t.
 
Joined
Oct 5, 2017
Messages
595 (0.23/day)
"A heap of bullshit"

When you start a post with insult you don't incentivize the person you're allegedly responding to bother to read your post. Instead, you're just showing off for others. That's not discourse. It starts with the letter t.
Congratulations, you caught that I don't mind being rude to you.

Fortunately, that doesn't affect the substance of my post in the slightest - Nor does it affect the content of the multitude of links I included to back up my own points, wherein nobody is being rude to you.

If you could kindly stay on topic instead of engaging in your own ad hominem attacks about my attitude, that'd be nice. It'd also be a damn sight less hypocritical of you, considering you're accusing me of ad hominem only to engage in it yourself.
 
Top