back to article Intel: Our next chips won't have data leak flaws we told you totally not to worry about

Intel has claimed its future processors – shipping as early as the second half of this year – will be free of the security design flaws it totally told you not to fret about. Over the past couple of months, it has been incredible watching Chipzilla revise its position, in public and behind the scenes, over and over again. In …

  1. Snake Silver badge
    Unhappy

    Actually...

    the unsaid part is what new bugs will be introduced as they redesign the silicon and rewrite the firmware to account for the previous bugs.

    We are [just] human. We simply can't make perfection, and we've proven that time...and time...and time again. So what nice, new little bugbears will we be dealing with 10 years from now?

    1. tfewster
      Facepalm

      Re: Actually...

      They've done a rush-job on a development process that normally takes years. It's pretty much guaranteed there will be new bugs.

      1. Anonymous Coward
        Anonymous Coward

        Re: Actually...

        It is interesting that Intel has not announced that they have fixed the design flaws of the past twenty years but introduced partitioning as part of a redesign to mitigate the flaws. If the original design was just poorly implemented then correcting the implementation would eliminate the flaws. Intel can not have completed all the testing required to ensure a bug free architecture in 9 months, modern CPUs are too complex. Was the patched design completed in Intel's design center in Israel?

        I find it an interesting co-incidence that before Intel announce their fixed CPUs, AMD CPUs are trashed with vulnerabilities by a new Security Company based in Israel, are they trying to increase the share price or is it part of a FUD campaign?

        1. A Non e-mouse Silver badge

          Re: Actually...

          I find it an interesting co-incidence that before Intel announce their fixed CPUs, AMD CPUs are trashed with vulnerabilities by a new Security Company based in Israel, are they trying to increase the share price or is it part of a FUD campaign

          In this latest AMD case, the Israeli company admitted to shorting AMD's stock.

        2. Michael Wojcik Silver badge

          Re: Actually...

          It is interesting that Intel has not announced that they have fixed the design flaws of the past twenty years but introduced partitioning as part of a redesign to mitigate the flaws.

          That's because Spectre-class vulnerabilities aren't "design flaws". I don't know why this is so difficult for many people to understand. They are trade-offs, done to achieve the performance required by our contemporary use of IT.

          It's the same reason automobile manufacturers haven't corrected the "design flaws" that allow collisions to happen.

          1. Anonymous Coward
            Anonymous Coward

            Re: Actually...

            @ Micheal Wojcik and "They are trade-offs, done to achieve the performance required by our contemporary use of IT."

            If Intel had said "our kit is faster but not as secure as our competitors" then fair enough but they claimed theirs was the fastest and most secure.

            As to "bugs impossible to remove" that is always just a lie, it is possible but it costs more money to do the job right.

            There are examples of bugs with other chips but if people still buy them after full disclosure because they are significantly cheaper than their competition then fair enough but yet again I would say Intel knew but still kept schtum and the price was the highest.

            Thus Intel are totally guilty and need to make amends via replacement or refund, if it shuts Intel x86 down then that will be a lesson for their competition

    2. Anonymous Coward
      Thumb Up

      Re: Actually...

      We keep finding new side-channel attacks that were previously unknown so I think it's safe to say "what new bugs" whether they are addressed in the next batch of chips, or no. Meanwhile, I have a ton of gear here that will be kept disconnected from the "outside world" that there is no way in hell I can afford to replace the lot. C'est la vie. It's not like I'm the target of a nation-state. *They* already know all about me. Seriously.

      As per usual, you have to accurately assess your risk profile before you can evaluate what works for *you*. Ditto business. Especially business. I wonder how that part of the insurance industry is going to assign that risk. Interesting question in economics and probability theory.

      1. JohnFen

        Re: Actually...

        " It's not like I'm the target of a nation-state."

        Probably not, but that's not the primary threat vector. You are, along with the rest of us, the target of thieves and corporations.

      2. Michael Wojcik Silver badge

        Re: Actually...

        We keep finding new side-channel attacks

        There will always be new side-channel attacks. Side channels leak information, by definition. In a general-purpose computing device that runs code in different trust domains simultaneously or nearly-simultaneously (i.e. close enough together to observe transient effects), there will always be side-channel vulnerabilities.

    3. A Non e-mouse Silver badge

      Re: Actually...

      We are [just] human. We simply can't make perfection...

      And the modern x86 architecture ain't no simple 4-bit CPU. It's a behemoth. I'm surprised there aren't more errors in it.

      1. Doctor Syntax Silver badge

        Re: Actually...

        I'm surprised there aren't more publicly known errors in it.

        FTFY

        1. phuzz Silver badge
          Headmaster

          Re: Actually...

          "I'm surprised there aren't more publicly known errors in it."

          There's already plenty of known errors to be getting on with.

          (That's just an example from one generation of Intel's CPUs...)

        2. Dr. Mouse

          Re: Actually...

          "I'm surprised there aren't more errors in it."

          They're know as undocumented features, not bugs

        3. JohnFen

          Re: Actually...

          "I'm surprised there aren't more publicly known errors in it."

          FTFTFY

  2. Inventor of the Marmite Laser

    So

    How do I go about getting replacements out of Intel for the Intel chipped PCs I own that have manufacturer built-in faults

    1. chris 143

      Re: So

      I believe you go down to your local retailer in 6 months or so and buy them

      1. Doctor Syntax Silver badge

        Re: So

        "go down to your local retailer in 6 months or so and buy them"

        ...as part of a whole new computer.

        1. itzman

          Re: So...a whole new computer?

          Golly, I cant remember when I bought a whole new computer that was not a laptop or smartphone

          lets see the case and PSU still has an XP license stuck on it, 2005? the MB is three years old the CDrom 8, the graphics card..Mmm I think that's quite new, as is the motherboard. The SSD is three years old...and the monitor is getting on for 6..

          Keyboards last about a year max.

          FrankenPC

          1. Peter2 Silver badge

            Re: So...a whole new computer?

            Keyboards last about a year max.

            Try an IBM model M. Almost certain to last longer than you do. Mine's older than a steadily growing percentage of our younger staff.

          2. BinkyTheMagicPaperclip

            Re: So...a whole new computer?

            You'd be better buying a buckling spring keyboard from Unicomp - they'll last forever. There are reasonably priced (60 quid) mechanical keyboards on the market too, as well as the 100 quid plus RGB coloured monstrosities.

            As to age of hardware, pfft amateur. My newest monitor is a decent 20" HP TFT from 2010, oldest a pair of CRTs from 2004.. My main system went from a decent system for 2008, to an excellent system for 2013 (I do not have the spare cash to buy new dual Xeons..). Admittedly a lot of it is quite recent - the hard drives, RAID enclosures, case, and PSU are all new. The motherboard is new, but E5-2600 era. Why buy new unless you have to.

            Of course I did boot up an SGI O2 running OpenBSD last night. It took ten minutes of disk churning and 50% of CPU to re-link the kernel on boot. High end 1997 tech struggles with a modern OS.

            1. CrazyOldCatMan Silver badge

              Re: So...a whole new computer?

              oldest a pair of CRTs from 2004

              Can't remember what age the CRT attached to my monitor is (it's a 21" Sun-branded monitor and I left the job where I obtained it in 2002..). Admittedly, the only time I turn it on is when I'm rebooting the server - which is about twice a year when a kernel upgrade requires it.

              The server it's attached to is a Supermicro quad-xeon that I got about 3 years ago. All SSD drives :-) A lot more queit (and generates a lot less heat) than the Dell 2950 server that I used to use[1]- that one had 6 15K RPM SAS drives.

              [1] Still in the acoustic rack, underneath the new server. In a pinch it could run the important subset of VMs that the new server currently hosts.

            2. Roo
              Windows

              Re: So...a whole new computer?

              Fair play on running OpenBSD on an O2. :)

              1. BinkyTheMagicPaperclip

                Re: So...a whole new computer?

                I'm going to be porting a couple of packages, it's good to have a non x86 platform to test on. I also have a few PowerPC boxes I could use. I have two O2s, each cost me the princely sum of a tenner each from a reseller of ex corporate/educational kit and were from Salford University (probably their VR suite).

                I'll have to see how it works - last time I looked Linux was probably the most functional, although porting software to it was interesting (autoconf generally goes 'what the fuck is this?').. NetBSD had a nicely accelerated X, OpenBSD not so much. Both BSDs suffer from the substandard PS/2 hardware in the O2s, I'm getting horrific key repeat to the point it's unusable from a glass terminal. Going to stick in a PCI USB card and use that instead..

                I don't expect to run anything modern on it - I tried running OpenBSD on a pentium II 300 (retro gaming box), and it was incapable of running X and Wireshark without dropping packets, tcpdump was fine though.

                The second O2 I'm using as a proper O2 and running Irix, it doesn't get used too much (and also suffers because there's no effective free compiler toolchain available for Irix)

          3. CrazyOldCatMan Silver badge

            Re: So...a whole new computer?

            Keyboards last about a year max

            What the hell do you do with them? My server at home still uses a keyboard that arrived with the IBM dual-P2 server that I bought [mumble] years ago.

            Doesn't have any of the Windows key nonsense (and doesn't need it because the server is, as all servers should be) a linux cli-only server.

            Even my desktop keyboard is about 10 years old.

          4. onefang
            Coffee/keyboard

            Re: So...a whole new computer?

            "Keyboards last about a year max."

            And I thought I was hard on keyboards. You type with a sledge hammer? Or do all your keys look like that all the time? -->

          5. englishr
            Mushroom

            Re: So...a whole new computer?

            "Keyboards last about a year max."

            Dang, you're hard on your keyboards; I'm typing this on an IBM buckling-spring keyboard manufactured in 1996, and used 8 hours a day, 5 days a week. I have the same thing at home, used for extensive gaming, and still going strong.

            Maybe you should try one (I've no affiliation with UniComp)?

            https://www.pckeyboard.com/

          6. DropBear
            Devil

            Re: So...a whole new computer?

            "Keyboards last about a year max."

            To each his own I suppose - mine consummated its first affair mating to a DIN-5 socket on a 386 mobo...

            EDIT: I really should finish reading before posting - got ninja'd into oblivion...

          7. JohnFen

            Re: So...a whole new computer?

            "Keyboards last about a year max."

            What are you doing to your keyboards?? Mine tend to last many, many years.

    2. Anonymous Coward
      Anonymous Coward

      Re: So

      You don't get anything out of Intel. Your contract is with your retailer. Likewise if you bought OEM CPU for a homebuilt.

      The only avenue for potential is if you bought a boxed retail CPU (which nobody ever does, as OEM chi's are so much cheaper)

  3. JohnFen

    Yeah, right

    Sorry, Intel, I'm not believing your claims just because you said them out loud.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yeah, right

      But kept quiet about the backdoor required by NSA.

    2. bombastic bob Silver badge
      Black Helicopters

      Re: Yeah, right

      but... but... but...

      what they're NOT telling you: new 'management engine' feature, NSA/MI6/GRU back door.

      Intel: sell me something _WITHOUT_ the "management engine" too, thanks. It's a bigger hole than Spectre OR Meltdown.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yeah, right

        I'm curious about the Spectre 1 variant only being fixed in software. I wonder why that is. Any software fix can be "unfixed" with a software update and, of course, there is still the management engine, as stated above.

  4. darkl

    But has Intel removed Intel Management Engine and Minix which gives full remote backdoor access to your PC to anyone with the privilege or hackers? Nope.

    Even Google have replaced IME and Minix with Linux kernel.

    Google "Replace Your Exploit-Ridden Firmware with Linux - Ronald Minnich"

  5. elvisimprsntr

    I expect the first round or two of CPU HW re-designs will have some technical problems/impacts.

    My mid '14 rMBP is humming along just fine. I think I can get at least another 3 years out of it. As for all my other Intel/ARM based devices (Apple, router/firewall, NAS, etc.), I am good for another 5 years.

    Thank you for reducing my home infrastructure CapX for the next 3-5 years. I might just take a vacation or buy a new car.

    1. CrazyOldCatMan Silver badge

      My mid '14 rMBP is humming along just fine

      Likewise my MBP 2013[1] 17". Admittedly, I also have a 2017 15" MBP..

      [1] Somewhat upgraded - SSD drive, extra RAM.

  6. Ken Hagan Gold badge

    Is this news?

    We already knew that there would be some fix. The timescale isn't *that* surprising, given that they knew about this last summer. They are only talking about *some* new chips, initially, so it isn't like they've redesigned their entire product line. We don't yet know what the performance hit is.

    So I'm not sure I know anything now that I didn't know ten minutes ago.

  7. Anonymous Coward
    Anonymous Coward

    If I was clapping any slower it would be with one hand,

    1. DropBear
      Trollface

      Actually, that sounds like an interesting challenge - although the only immediate solution I can think off the top of my head kinda requires a supersonic hand...

  8. Anonymous Coward
    Anonymous Coward

    Why haven't they been sued into oblivion for knowingly selling defective goods, and then CHARGING people for new models...rather than replacing them free of charge?

    1. JohnFen

      As of mid-February, there were 32 lawsuits filed against Intel for this.

      1. Anonymous Coward
        Anonymous Coward

        Only 32???

        1. rmason

          @Ivan 4

          32 class actions. Lots and lots of amalgamated claims.

          1. 404

            Need to join a couple - good for a $10 check some years down the road...

  9. Schultz Silver badge

    Multicore, multiprocessor architectures in the future

    We'll probably end up with less memory sharing and the ability of processes to reserve a core+memory for their security relevant processes. Is there really another way to solve this issue? Finally a good reason to build seriously parallel processor architectures.

  10. Mike Lewis

    Between Scylla and Charybdis

    It's hard to decide between upgrading to a meltdown-free CPU with Windows 10 and keeping my newly-hobbled CPU with Windows 7.

    1. bombastic bob Silver badge
      Thumb Up

      Re: Between Scylla and Charybdis

      "It's hard to decide between upgrading to a meltdown-free CPU with Windows 10 and keeping my newly-hobbled CPU with Windows 7."

      well said! [I was going to put FreeBSD on mine, though... when I get the $ to spend on new hardware]

  11. Anonymous Coward
    Paris Hilton

    Brave New World

    What with Microsoft's plan to force every user to boot from the internet, a bit like an Xbox needs the internet to run and a bit like you have a workstation that is totally beholden to the server (from the days of the Arc), that MS has slowly and kinda of stealthily been implementing, what with EFI killing BIOS chips using that silly boot system, Windows 10 S, by default opting you to only purchase from the store, and Office 360 subscriptions - Intel not building BIOS mother boards will need to build [IOB's],internet oriented boxes. this calls for a totally different design, even though you can boot from a network from EFI now, Everything will be internet oriented and Intel cannot be left behind. being aware of the plan Intel has been on the project for some time,( it will emerge) as have others.

    Eventually the transformation will be total and you will be lucky to access your local hard drives with out the blessing of MS. You will have become a #CyberZombi , where as you only act like one now.

    Intel having much of their code software upgradeable like EFI is now, won't have the same problems as current. But if hacker can still exist they might get to have some real fun with the new layout.

  12. Adam 1

    > Our next chips won't have data leak flaws we told you totally not to worry about

    By remarkable coincidence, my next chips will totally not have an Intel logo to worry about either.

    1. DropBear
      Trollface

      Mine neither, for sure. Although this is actually a superb demonstration of "correlation does not imply causation" on account of how I never had an Intel CPU...

  13. ExampleOne

    If we will still have to mitigate Spectre Variant 1 in software, how many of the mitigations will still be needed in the software? What are the performance implications of the still required mitigations?

  14. Anonymous Coward
    Anonymous Coward

    The root problem

    Spectre and Meltdown share little in common but we're lumped together originally.

    Meltdown is really really bad, it's easy to exploit and its patch comes with a huge performance penalty. It almost exclusively affects Intel chips.

    Spectre is a different beast, affects prettyuch everything, but is very hard to exploit, and in most cases a microcode update with little to no performance impact is all that is needed.

    By continuing to mix these, it just continues to cause confusion.

    1. Michael Wojcik Silver badge

      Re: The root problem

      Spectre is a different beast, affects prettyuch everything, but is very hard to exploit, and in most cases a microcode update with little to no performance impact is all that is needed.

      This is not correct. The Spectre class of attacks is very large. Some of them are not particularly difficult to exploit, and it is essentially impossible to prevent the entire class on general-purpose computers.

  15. Anonymous Coward
    Anonymous Coward

    Once upon a time....

    ....a long tome ago, there was an FPU bug.

    *

    Back in the day the CPU chip was connected to the computer using a ZIF socket (workstations) or a daughter board (some laptops). This meant that Intel (or the laptop manufacturer) sent the user a new CPU or daughter board with the new CPU, and the user did the swap and sent the old piece back.

    *

    No more. Mostly CPU chips are soldered to the motherboard ("No user maintainable parts in this box"), so the fix requires the user to buy a WHOLE NEW COMPUTER OR LAPTOP. Now....who benefits from this "new improved" arrangement?

    *

    ....everyone except the end user! Why am I not surprised?

    Signed: A Dinosaur

    1. CrazyOldCatMan Silver badge

      Re: Once upon a time....

      ....a long tome ago, there was an FPU bug.

      Must have been a good read to take 20 years to finish it..

    2. Roo
      Windows

      Re: Once upon a time....

      The big expensive chips still come in socket format... Although I imagine Intel will be changing the socket again...

  16. J27 Silver badge

    Great, when are they shipping out the bugfixed chips to every affected customer?

  17. JimmyPage
    Stop

    So a bug that's been there for decades is fixed in six months ?

    Is it just me, or is it anyway you slice that it makes Intel look pretty shit ?

  18. Randy Hudson

    Can anyone explain how JavaScript, which runs on a virtual machine and can't access memory that hasn't been initialized by that VM, could read data from another process?

    1. JohnFen

      There are a number of excellent explanations a Google search away, but here's my very loosey-goosey summary: this is a side-channel attack, and so it doesn't require privileged access to implement. VMs, restricted memory access, etc., do nothing to protect against it because no privileged operations are required to perform it.

      In short, it's about tricking the processor. To maximize speed, the processor executes instructions that it thinks might need to be executed in the immediate future during times when it would otherwise be idle. If it predicts wrong, it ignores the results and no harm done.

      The thing is that executing those instructions leaves behind traces, and important information can be gleaned from those traces.

      An important larger lesson can be gleaned here: if you think that VMs provide an impenetrable wall between the VM and the host, you're mistaken. That has never been true, and wouldn't be true even if this processor flaw didn't exist.

  19. TrumpSlurp the Troll
    Trollface

    Just checking

    Intel have just upgraded their architecture to catch up with AMD?

  20. Michael Wojcik Silver badge

    Spectre variant 1 is not mitigated in general

    Variant 1 can be fixed by patching programs to thwart Spectre-based attacks.

    This is misleading. Specific variant-1 Spectre-class attacks can generally be mitigated in software. Preventing all SV1-class attacks with software patches is very likely infeasible, particularly when you consider other timing channels (besides the cache).

    The original Spectre paper discusses this, albeit only briefly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021