One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 455356 |
| Date de publication | 2018-01-04 02:29:18 (vue: 2018-01-04 02:29:18) |
| Titre | Some notes on Meltdown/Spectre |
| Texte | I thought I'd write up some notes.You don't have to worry if you patch. If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don't have to worry. If you aren't up to date, then there's a lot of other nasties out there you should probably also be worrying about. I mention this because while this bug is big in the news, it's probably not news the average consumer needs to concern themselves with.This will force a redesign of CPUs and operating systems. While not a big news item for consumers, it's huge in the geek world. We'll need to redesign operating systems and how CPUs are made.Don't worry about the performance hit. Some, especially avid gamers, are concerned about the claims of "30%" performance reduction when applying the patch. That's only in some rare cases, so you shouldn't worry too much about it. As far as I can tell, 3D games aren't likely to see less than 1% performance degradation. If you imagine your game is suddenly slower after the patch, then something else broke it.This wasn't foreseeable. A common cliche is that such bugs happen because people don't take security seriously, or that they are taking "shortcuts". That's not the case here. Speculative execution and timing issues with caches are inherent issues with CPU hardware. "Fixing" this would make CPUs run ten times slower. Thus, while we can tweek hardware going forward, the larger change will be in software.There's no good way to disclose this. The cybersecurity industry has a process for coordinating the release of such bugs, which appears to have broken down. In truth, it didn't. Once Linus announced a security patch that would degrade performance of the Linux kernel, we knew the coming bug was going to be Big. Looking at the Linux patch, tracking backwards to the bug was only a matter of time. Hence, the release of this information was a bit sooner than some wanted. This is to be expected, and is nothing to be upset about.It helps to have a name. Many are offended by the crassness of naming vulnerabilities and giving them logos. On the other hand, we are going to be talking about these bugs for the next decade. Having a recognizable name, rather than a hard-to-remember number, is useful.Should I stop buying Intel? Intel has the worst of the bugs here. On the other hand, ARM and AMD alternatives have their own problems. Many want to deploy ARM servers in their data centers, but these are likely to expose bugs you don't see on x86 servers. The software fix, "page table isolation", seems to work, so there might not be anything to worry about. On the other hand, holding up purchases because of "fear" of this bug is a good way to squeeze price reductions out of your vendor. Conversely, later generation CPUs, "Haswell" and even "Skylake" seem to have the least performance degradation, so it might be time to upgrade older servers to newer processors.Intel misleads. Intel has a press release that implies they are not impacted any worse than others. This is wrong: the "Meltdown" issue appears to apply only to Intel CPUs. I don't like such marketing crap, so I mention it. Statements from companies:Amazon AWSARMAMDIntelAnders Fogh's negative result |
| Envoyé | Oui |
| Condensat | a intel about after also alternatives amd announced any anything appears apple apply applying are aren arm average avid awsarmamdintelanders backwards because big bit broke broken bug bugs but buying caches can case cases centers change claims cliche coming common companies:amazon concern concerned consumer consumers conversely coordinating cpu cpus crap crassness cybersecurity data date decade degradation degrade deploy didn disclose don down download else especially even execution expected expose far fear fix fixed fixing fogh force foreseeable forward from game gamers games geek generation giving going good hand happen hard hardware has haswell have having helps hence here hit holding how huge imagine impacted implies industry information inherent intel isolation issue issues item kernel knew larger later latest least less like likely linus linux logos looking lot made make many marketing matter meltdown meltdown/spectre mention microsoft might misleads much name naming nasties need needs negative newer news next not notes nothing number offended older once only operating other others out own page patch people performance press price probably problem problems process processors purchases rare rather recognizable redesign reduction reductions release remember result run security see seem seems seriously servers shortcuts should shouldn skylake slower software some something sooner speculative squeeze statements stop such suddenly systems table take taking talking tell ten than that them themselves then there these thought thus time times timing too tracking truth tweek update upgrade upset useful vendor vulnerabilities want wanted wasn way when which will work world worry worrying worse worst would write wrong: x86 you your |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.