Intel Reveals New Spectre-Like Attack, Advises Disabling Hyper-Threading

[R-T-B]

If that means that we get better quality software and where patches don't send our systems into BSODs then that's money well spent. Sometimes you have to pay for quality.

I ageee on a personal basis, but that only works if everyone agrees. In todays "free app (ad supported)" world I am unsure it would sustain Microsoft honestly.

I can't imagine the hit was very good.

Me neither. I picture they are running on scraps from upper departments.

 

[trparky]

I agree on a personal basis, but that only works if everyone agrees. In today's "free app" world I am unsure it would sustain Microsoft honestly.

Don't get me started on the whole "free app" phenomenon. There's a reason why it's free, this is what people don't understand. Facebook can function for free because they sell your data. Gmail is free because they sell your data. It comes down to something that's said in some circles... If something is free, YOU are the product!

Me neither. I picture they are running on scraps from upper departments.

Yeah, and that's scary.

 

[Bill_Bright]

trparky is still ranting about MS.

I personally know of no system ever "bricked" by a WU.

Then you really need to talk to some of your IT buddies because I'm damn sure you'll hear horror stories.

As I said, I "personally" know of no system. As for my buddies - we consult with each other often and again, I know of no others that were "bricked". Maybe you don't have a good understanding of what bricked means but it does not matter. That is not the point of this thread and it is not your thread so I am done discussing it with you.

 

[trparky]

Then this part of this thread needs to be spliced out into its own thread. And as far as ranting about Microsoft, they damn well deserve it! I may have not had any problems but that doesn't take away from the fact that if you go do a Google search about such and such KB article update causing issues you won't have to go very far past the first page worth of search results.

But again, this needs a different thread and I call upon a moderator to splice the parts out and we can continue to discussion there.

 

[Metroid]

The best thing to do here is ignore intel and all the crap, do not disable smt, but first before you do all that, make sure you never use that computer for any online banking or transactions.

 

[trparky]

is it the Intel that causes the vulnerabilities

Intel. Their processor designs caused the vulnerabilities.

 

[Bill_Bright]

The best thing to do here is ignore intel and all the crap, do not disable smt, but first before you do all that, make sure you never use that computer for any online banking or transactions.

This is really lousy and clearly biased, fear mongering advice!

You can safely and confidently use your Intel based computer for anything you want, including banking. I just this morning transferred funds from one bank to another, then transferred more funds from one bank into my PayPal account, then sent some $$ from my PayPal account to my son with NO reservations, fears, or concerns a bad guy will compromise my computer or any of my bank accounts. You can too.

All you need to do is keep Windows updated, use and keep current a decent anti-malware solution (I use Windows Defender along with Malwarebytes on all systems here) and don't be "click-happy" on unsolicited links, popups, downloads, and attachments - the exact same precautions you must do if you have an AMD based computer.

Just because a vulnerability exists, that, IN NO WAY, means it is exposed to bad guys or that they could exploit it.

If Intel processors were as unsafe as Metroid wants you to believe, where are all the 100s of millions infected Intel computers that must be out there?

I have yet to find and keep asking for links to a "look what happend here" story related to these vulnabilities. None so far.

Here is it a month after John Naylor made that statement on page 1 of this thread and still there are no reports of a single Intel based machine being infected through one of these vulnerabilities. Not one!

Newbie techie here. I'm a bit confused....is it the Intel that causes the vulnerabilities or is it Microsoft? If it's Microsoft OS, then I might switch to Mac or Linux? Any advice?

Kudos to you, Chris for being wise and reaching out and asking questions. Just note it is very important to do your homework and research ALL the facts before coming to any conclusions and to ignore the extremist advice from those who clearly have not their homework. Use Bing Google yourself. Do you see where Intel users are being infected due to these vulnerabilities? I don't see it. And why is that? Because updated operating systems and anti-malware program developers, as well as firmware updates have all addressed these problems. So again, if you keep your OS and security updated, and don't be click happy, you are just fine using your Intel based computer for any purpose.

And for the record, AMD processors are not immune to exploitable vulnerabilities either. Examples include those reported here and as reported by AMD themselves.

Note this Apple report from The Guardian where it says,

Apple’s iPhones, iPads and Mac computers are all vulnerable to the major processor flaws ... updates are already available.

The flaws known as Meltdown and Spectre affect almost every modern computing device from all manufacturers using chip designs from Intel, AMD and ARM.

Does that mean we should avoid all computing devices? That would be as ridiculous as the advice to avoid banking with Intel was.

 

[Metroid]

If Intel processors were as unsafe as Metroid wants you to believe, where are all the 100s of millions infected Intel computers that must be out there?

Sorry for not clearing it up, to me is not about a processor per se, is more about the whole package, as long as you have something that can be used to exploit something from you in any way, remember that nothing is 100% safe unless in intranet where there is no internet connection, my point is as long as you have internet connection in your device then that device is not safe anymore, that is not fear mongering, that is just a warning that if you want to be 100% safe then do it physically. I myself never use online banking or transactions.

 

[R-T-B]

Here is it a month after John Naylor made that statement on page 1 of this thread and still there are no reports of a single Intel based machine being infected through one of these vulnerabilities. Not one!

Considering by their nature infection vector would be untracable, you'll never get one either. It'd fall under generic "infected by malware"

Sorry for not clearing it up, to me is not about a processor per se, is more about the whole package, as long as you have something that can be used to exploit something from you in any way, remember that nothing is 100% safe unless in intranet where there is no internet connection, my point is as long as you have internet connection in your device then that device is not safe anymore, that is not fear mongering, that is just a warning that if you want to be 100% safe then do it physically. I myself never use online banking or transactions.

I find that overly cautious to the point of paranoia, but you are indeed correct, it is the safest.

 

[Bill_Bright]

my point is as long as you have internet connection in your device then that device is not safe anymore, that is not fear mongering

But that applies to any device, regardless the brand name on the processor.

I appreciate you now saying it is not about the processor, but that is totally different from what you said earlier where you told readers specifically to "ignore Intel" and "never use" that Intel computer for online banking. That was fear mongering and simply bad advice.

And frankly, even your comment now is incorrect. To claim you are unsafe if you have an Internet connection is wrong. Yes, if you have internet access, your computer is exposed, but that IN NO WAY means you are unsafe. It is easy to secure your computing device and make it safe. With W10, it is almost effortless - if you leave the defaults alone and pay attention to what you click on. To suggest otherwise is spewing misinformation, if not fear-mongering.

There is no way to be 100% safe regardless how you connect to the internet. If a professional and determined bad guy is out to get you personally, they can do it. Just as a determined bad guy can break into your home regardless how many locks you have or the sophistication of your security system. But when it comes to private citizens, bad guys are lazy opportunists. They go for the low hanging fruit. If they can't trick you into clicking on a malicious link (and every processor brand is vulnerable to that), they are not going to waste their time trying to hack through your wireless network, your router, your computer's local firewall, your security and the OS itself to plant malicious code on your system that then must deploy its payload and then do its dirty deed - without being detected. If they see any resistance, they are going to move on to easier pickings; to the person still using XP, or to the person who has failed to keep their OS and security updated.

In no way am I saying these vulnerabilities are minor and can be ignored. But these exaggerated, knee jerk comments, advice and suggestions are simply irrational and fear mongering BS.

Considering by their nature infection vector would be untracable, you'll never get one either. It'd fall under generic "infected by malware"

More bullfeathers! The careless and/or ignorant user who fails to properly keep his or her computer and security system updated would not know how their system got infected - though surely they would blame Microsoft or Intel. But there are 1000s of professional security analyst around the globe right now scouring the malicious code that is out in the wild who would know. Where are their reports? And there 1000s more professionals who analyze and repair infected systems who can tell if a system was patched or not, and who could identify the malware as one designed to exploit those processor vulnerabilities. Where are their reports? They aren't out there because this just is not the problem the alarmists want everyone to believe.

Yes, the vulnerabilities are real. And yes they are bad. But they are NOT being exploited as you and others seem to believe and want everyone else to believe.

 

[Metroid]

But that applies to any device, regardless the brand name on the processor.

I appreciate you now saying it is not about the processor, but that is totally different from what you said earlier where you told readers specifically to "ignore Intel" and "never use" that Intel computer for online banking. That was fear mongering and simply bad advice.

And frankly, even your comment now is incorrect. To claim you are unsafe if you have an Internet connection is wrong. Yes, if you have internet access, your computer is exposed, but that IN NO WAY means you are unsafe. It is easy to secure your computing device and make it safe. With W10, it is almost effortless - if you leave the defaults alone and pay attention to what you click on. To suggest otherwise is spewing misinformation, if not fear-mongering.

Agreed, regarding when I said "ignore intel", I meant ignore their warning as they were the one who supposed recommended disabling smt, now is up for the people if they want to follow that recommendation or not, I would not disable because my computer is not used for online banking or transactions, some people will do.

And there is another funny thing happened to me some weeks ago, I received an email saying somebody got all the data I have and know all my passwords and they wanted money for that, I dont use my computer for anything other than browsing and gaming and as I said I never do online banking or transactions and a rarely click in unknown websites and i have all the protection you can think of to block any incoming or outgoing connection or backdoor and yet this email asking for money had a known password of mine, long story short, i have all possible measures and countermeasures and yet somehow somebody got hold of a known password of mine, how did he do, who knows. Even though I have a computer science degree and almost 25 years experience in the area. Now imagine an average joe hehe, so like I said before want something 100% secure, remove your ethernet cable from your computer, now, if you just do like I do browsing and gaming where the internet connection is enabled then follow simple procedures for example, never online banking or transactions, 2fa is a possibility but make sure your mobile is not connected to the same network you complete a known transaction.

I have other computers that I use for work and those don't have internet connection for counter measure.

 

[Bill_Bright]

Agreed, regarding when I said "ignore intel", I meant ignore their warning as they were the one who supposed recommended disabling smt

Okay, I appreciate you saying that - but that was over a year ago!

As for someone getting your password, no surprise there. Companies are being hacked almost on a daily basis. If you ever had a Yahoo account, that password was stolen. And sadly, many of these companies are totally negligent by failing to keep their networks fully patched and secure. I mean if you look at the HUGE Equifax hack, not only did they fail to apply available (for months!) patches that would have prevented the hack in the first place, the very-personal data that was exposed was not even encrypted. IMO, someone should be held criminally negligent on this and many other hacks.

I've been accused of being overly paranoid because I refuse to do any online banking through my cell phone because I don't trust that system (or cell phone carriers) to keep my data safe. But I am confident a PC, especially a Ethernet connected PC, can be used safely for online banking and other sensitive tasks - regardless the brand name on the processor.

 

[Metroid]

Okay, I appreciate you saying that - but that was over a year ago!

As for someone getting your password, no surprise there. Companies are being hacked almost on a daily basis. If you ever had a Yahoo account, that password was stolen. And sadly, many of these companies are totally negligent by failing to keep their networks fully patched and secure. I mean if you look at the HUGE Equifax hack, not only did they fail to apply available (for months!) patches that would have prevented the hack in the first place, the very-personal data that was exposed was not even encrypted. IMO, someone should be held criminally negligent on this and many other hacks.

I've been accused of being overly paranoid because I refuse to do any online banking through my cell phone because I don't trust that system (or cell phone carriers) to keep my data safe. But I am confident a PC, especially a Ethernet connected PC, can be used safely for online banking and other sensitive tasks - regardless the brand name on the processor.

I guess we have always been paranoid at some time, I'm no different, I was once very paranoid but if you follow simple steps then you dont need to be paranoid anymore when it comes to internet security. Hackers can steal anything from me, nothing they get from me will ever send me to jail or compromise me in anyway. That email I got from the supposed hacker, I simply ignored because I have nothing to lose, same thing if i had an intel cpu hehe, dont disable smt, enjoy 4 more threads and life goes on.

Well files from work and other things in computers with no connection, so those files they will never get from me hehe

 

[Vayra86]

What they need to do is to hire an actual QA team instead of using users to beta test their updates.

Its already been proven long ago that big data and the size of your test set is the most effective part of testing. This is also why we run regression tests - automated, would-be user interactions can run all day and night.

People act like one test method excludes the others... even MS isnt that silly or arrogant. When you get an insider build it has already been vetted in some way. Public beta is on top of that.

I think people fail to appreciate that MS employs some of the better programming talent in the world. W10 is a pretty impressive OS if you get the scope of it and its backwards compatibility.

But that applies to any device, regardless the brand name on the processor.

I appreciate you now saying it is not about the processor, but that is totally different from what you said earlier where you told readers specifically to "ignore Intel" and "never use" that Intel computer for online banking. That was fear mongering and simply bad advice.

And frankly, even your comment now is incorrect. To claim you are unsafe if you have an Internet connection is wrong. Yes, if you have internet access, your computer is exposed, but that IN NO WAY means you are unsafe. It is easy to secure your computing device and make it safe. With W10, it is almost effortless - if you leave the defaults alone and pay attention to what you click on. To suggest otherwise is spewing misinformation, if not fear-mongering.

There is no way to be 100% safe regardless how you connect to the internet. If a professional and determined bad guy is out to get you personally, they can do it. Just as a determined bad guy can break into your home regardless how many locks you have or the sophistication of your security system. But when it comes to private citizens, bad guys are lazy opportunists. They go for the low hanging fruit. If they can't trick you into clicking on a malicious link (and every processor brand is vulnerable to that), they are not going to waste their time trying to hack through your wireless network, your router, your computer's local firewall, your security and the OS itself to plant malicious code on your system that then must deploy its payload and then do its dirty deed - without being detected. If they see any resistance, they are going to move on to easier pickings; to the person still using XP, or to the person who has failed to keep their OS and security updated.

In no way am I saying these vulnerabilities are minor and can be ignored. But these exaggerated, knee jerk comments, advice and suggestions are simply irrational and fear mongering BS.
More bullfeathers! The careless and/or ignorant user who fails to properly keep his or her computer and security system updated would not know how their system got infected - though surely they would blame Microsoft or Intel. But there are 1000s of professional security analyst around the globe right now scouring the malicious code that is out in the wild who would know. Where are their reports? And there 1000s more professionals who analyze and repair infected systems who can tell if a system was patched or not, and who could identify the malware as one designed to exploit those processor vulnerabilities. Where are their reports? They aren't out there because this just is not the problem the alarmists want everyone to believe.

Yes, the vulnerabilities are real. And yes they are bad. But they are NOT being exploited as you and others seem to believe and want everyone else to believe.

Go get em Bill. The amount of unsubstantiated BS in this topic is bizarre.

 

[juiseman]

I use online banking on a daily basis also.
Don't really give it much thought usually.
usually don't have much in there to steal. lol...

So, not too worried there.

But; in my view nothing is 100% secure....
If someone want's something bad enough;
They will find a way.

The only thing I do that is extra cautious is I only have
pay pal linked to my credit card. So its like a triple
secured way to buy things online. You have then 3 layers
of security. Pay pal, then Visa then your bank.
I money goes missing or unauthorized purchases happen;
The chances of getting your money back are way better.

Its much easier to get your money stolen through skimming
at gas Pumps. Happen to me 2 times in 6 moths, 2 diff places,
2 different cards. Visa notified me within min. of it happening.
And on the other card, A (pay pal Debit) Pay Pal reversed it
and also both got my money back.

So, now I only use Credit cards or cash at gas stations &
try to use the Pumps closest to the clerk if I can. Since its
probably harder to tamper with the gas pump card reader
in plane sight unless the employees were in on it (which is more
probable.)

I think its best to split up your funds in several stash spots;
Like different banks, different local places (house) or on person
or if your into investing; maybe several different securities and such.

Maybe I'm OSD, but that's what I would do....

 

[trparky]

someone should be held criminally negligent

And yet nobody was found to be criminally negligent when it comes to the Equifax hack. All we got out of the whole damn fiasco was a free year of credit monitoring. Oy.

I'm still pissed about that shit.

 

[biffzinker]

Its much easier to get your money stolen through skimming
at gas Pumps.

The recent smart chip on a credit card is suppose to prevent the old way of skimming via mag strip.

 

[trparky]

The recent smart chip on a credit card is suppose to prevent the old way of skimming via mag strip.

And I've heard of ways to hack that too. About the only way that I figure using your credit card from now on is to use some form of NFC payment such as Google, Samsung, or Apple Pay in which a one-time use randomly generated credit card number (sometimes referred to as tokenized payments) is sent to the retailer. Your real credit card number is never sent.

Oh, and have your bank send you a notification for every single payment ever made on your cards that way if you suddenly get a notification completely out of the blue for no reason you can follow up on the fraudulent charge very quickly.

 

[Bill_Bright]

but if you follow simple steps then you dont need to be paranoid anymore when it comes to internet security.

Exactly! Thanks for saying what I've been saying all along.

Its already been proven long ago that big data and the size of your test set is the most effective part of testing.

Right. I used to work in large software development company. We had 400 developers at my location. Before a new release, everyone - including those of us in hardware support - became "in house" beta testers. And we really worked hard trying to break and abuse, use and misuse the software every way possible in an attempt to find every bug. But still when the software hit the field and 1000s of users started using it, the occasional bug would still appear. And for our product, it all ran on specifically configured hardware we managed too - in tightly controlled software environments. That is, no unauthorized software went on those systems.

Virtually every single one of the 700 million+ W10 machines are uniquely configured in both the hardware and software.

 

[Steevo]

And how is that different from any other malicious activity? Why would you assume all your other security measures have been compromised? Do you feel your router has been compromised? Do you assume your anti-malware solution will not detect any suspicious activity? Do you leave your computer unattended at a public library where anyone can gain physical access to it?

You are much more likely to find your info on the dark web because your bank, Yahoo, The Home Depot, Equifax or Facebook were hacked - again - due to the lackadaisical incompetence of the IT administrators and/or CIOs and CSOs.

It's those servers running Intel hardware in the cloud that allow these hacks and our information out. Not sure what the confusion is, Intel has a large margin of server hardware worldwide and their hardware is leaky.

It can be end users as well, but why Rob the individual when thousands can be taken?

 

[Bill_Bright]

It can be end users as well, but why Rob the individual when thousands can be taken?

Which is one of the main reasons why so many bad guys are concentrating on corporations instead of individuals. The other main reason is home computers, especially those running W10, and home networks are inherently more secure these days. The payoff to spend the extra effort hacking into a home computer is just too little to make it worthwhile for them.

and their hardware is leaky.

While that may be true, "leaky" still does not automatically imply "exposed". If one of those cloud/corporate networks is successfully breached, and one of those severs is successfully hacked and one of those Intel processor vulnerabilities is successfully exploited, and the compromised data is successfully captured by a badguy, it is because someone responsible for that IT support failed to do his or her job.

Oh, and have your bank send you a notification for every single payment ever made on your cards that way if you suddenly get a notification completely out of the blue for no reason you can follow up on the fraudulent charge very quickly.

I love this feature. Don't get me started on Wells Fargo but suffice it to say I still use them for my primary checking account. I set up an alert for any draft on my account greater than $1.00. If I use my debit card to buy something from Amazon or Newegg, as examples, I typically get an email notice from Wells Fargo before I get notice from Amazon or Newegg.

Note sure why they call it a "checking" account. I think its been 3 years since I actually wrote a check!

 

[trparky]

I love this feature. Don't get me started on Wells Fargo but suffice it to say I still use them for my primary checking account. I set up an alert for any draft on my account greater than $1.00. If I use my debit card to buy something from Amazon or Newegg, as examples, I typically get an email notice from Wells Fargo before I get notice from Amazon or Newegg.

I have my bank send me a notification on my iPhone for my debit and credit card. Within ten seconds of a charge on the card, I get a notification on my iPhone indicating the dollar amount and the merchant that performed the transaction. Even though my bank (a credit union) probably has the most paranoid anti-fraud departments in the industry I still don't want to take the chance.

 

[Bill_Bright]

Even though my bank (a credit union) probably has the most paranoid anti-fraud departments in the industry I still don't want to take the chance.

But they probably would not suspect a charge of $60 at Walmart or $100 at Costco. But you would.

 

[trparky]

But they probably would not suspect a charge of $60 at Walmart or $100 at Costco. But you would.

Probably not, hence the notifications.

 

[Bill_Bright]

I take it back for Costco. Since, like Sams, you have to scan your membership card before each purchase (even when paying with a bank card) someone would have to be really dumb to use a stolen bank card there.