Oh Oh
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Sarah's Resources You Should See
Full-Text Search & Archives

Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

2018-01-02 18:26 by Karl Denninger
in Technology , 434 references Ignore this thread
Oh Oh
[Comments enabled]

Hoh hoh it really is as bad as I thought.

At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.

At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel's memory. Suffice to say, this is not great. The kernel's memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on. Imagine a piece of JavaScript running in a browser, or malicious software running on a shared public cloud server, able to sniff sensitive kernel-protected data.

No, at worst it means the hole could be abused to read hypervisor data, including encryption keys from other user's workspaces, since the Hypervisor by definition must be able to map all the guest address spaces.

In other words all cloud computing environments are insecure.

What's worse it looks like the root cause of this is that Intel cheated.  In other words their processors speculatively execute code in such a fashion that the actual access takes place before the privilege check is done.  This is good for performance but horrible for security in that it apparently can be leveraged to allow the reading of anything accessible from the hypervisor -- in other words, any other client's data.

This is a really big deal folks.  I've heard rumblings of a severe Xen problem (a common hypervisor) for a while now -- several months of relatively loud rumbling, starting with some little chirping about a year ago and change.  If this is the issue and is embedded in the architecture of the CPUs involved in modern systems then any cloud-based system will be forced to use the mitigation code which will slow it down dramatically.

Incidentally "not doing that" turns a "one machine cycle for one instruction" thing into, in many cases, a couple hundred machine cycles.  It's that bad and properly "fixed" via code workaround the performance bite will be taken on every system call.

The economic impact of this renders most so-called "cloud computing" arguments moot since we're talking performance hits of 30% or more for many common workloads -- especially those that make a lot of kernel calls!

You can bet the so-called "analysts" won't pay a bit of attention to this -- but they damn well should.  The "correct answer" is change all the CPUs to ones without this flaw -- RIGHT NOW -- but I'm sure you can figure out how happy some CIO (or CEO, or investors) will be to hear that.  The other answer is "buy 30%+ more CPUs to cover the performance deficit", which I'm sure will produce exactly the same sort of howl and should produce the same sort of hit to stock prices.

It probably won't, but it damn well should.

Then there's this -- it appears AMD's processors are not subject to this problem -- and it's been strongly hinted at by AMD that this is because they don't speculatively start execution of an instruction before determining whether it will result in a page fault.  A common complaint is that AMD's chips are somewhat slower than Intel's for "equivalent" clock speed and capability (generation, etc.)  Is the reason they were slower that Intel knowingly cheated and, if so, what implication does that have across the computing universe, especially in places where security is considered important like, oh, pretty-much everywhere?

Go to responses (registration required to post)
 
 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
Showing Page 1 of 3  First123Last
User Info Oh Oh in forum [Market-Ticker]
Erbo
Posts: 308
Incept: 2010-06-10

Denver, CO
Report This As A Bad Post Add To Your Ignored User List
Apparently AMD did not cheat: https://lkml.org/lkml/2017/12/27/2

That's cold comfort, however, for all the folks that have a huge Intel installed base.

----------
"There is a ready solution for anyone on the public payroll who feels that he is not paid enough: He can resign and work for a living. This applies with equal force to Congressmen, Welfare 'clients,' school teachers, generals, garbage collectors, and judges." - Ira Johnson
Highaltitude
Posts: 8
Incept: 2018-01-02

Colorado
Report This As A Bad Post Add To Your Ignored User List
Phoronix just ran some early benchmarks on the the kernel changes and it looks to effect performance as badly as feared. Would like to see some benchmarks with virtualization as I think this is where the changes in context switching will really show up.

https://www.phoronix.com/scan.php?page=a....

Alosix
Posts: 1007
Incept: 2009-03-31

Behind enemy lines..
Report This As A Bad Post Add To Your Ignored User List
Another fun usage of this I'd think would be able to steal compute time from AWS. Would probably take a bit to find something interesting on a particular server, but getting compute time outside of your instance could be entertaining.

----------
"Software Development is one of those jobs, like picking lettuce, or cleaning toilets, that Americans just refuse to do." : STCM
Tickerguy
Posts: 151187
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Quote:
Phoronix just ran some early benchmarks on the the kernel changes and it looks effect performance as badly as feared.

Yeah, that's gonna be ugly.

Steal compute time? **** that -- steal encryption keys and credit card databases -- or even better, hypervisor credentials.... smiley

----------
Winding it down.
Idiom
Posts: 121
Incept: 2015-02-20

New Zealand
Report This As A Bad Post Add To Your Ignored User List
I would think that cloud usage is pretty inelastic. It affects every provider equally, and the alternative is building a new datacenter of ones own.

So usage of existing hardware goes up by 30% and everything gets replaced on its already planned scheduled which has to pretty short at any rate.

Unless someone has recently built out a **** tonne of AMD then everybody is in the same boat.

Still, the game theory outcome is that everyone has to upgrade as fast as they can and eat the cost, same as always.

The greatest temptation is to not patch or not patch properly and just assume data theft isn't your problem, its your shareholders.
Highaltitude
Posts: 8
Incept: 2018-01-02

Colorado
Report This As A Bad Post Add To Your Ignored User List
Here is the thing though, this flaw has been in Intel processors for about a decade. Intel has been running about 30 to 50% better performance than AMD over those years. Turns out AMD might not have been slower but that Intel took a shortcut to boost performance and hoped they would not get caught. Even more reckless it was done in silicon in a way that microcode cannot fix it.

Every datacenter that has spent tens of thousand of dollars++ on Intel should demand Intel fixes the problem with new chips to replace the old ones. Could be a big boost to AMD bottom line.
Tickerguy
Posts: 151187
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Tens of thousands? These CPU chips (the higher end Xeons, for example) are north of a grand EACH.

----------
Winding it down.
Tinman
Posts: 292
Incept: 2008-02-16

Report This As A Bad Post Add To Your Ignored User List
AMD up 6.81 today. I always wondered why their CPUs could never complete. I wonder if AMD benchmarks will be impacted by the code rework. If not it might put AMD on equal footing with a cheaper product. Not to mention no Intel management engine which everyone hates... not sure if AMD has something similar.
Highaltitude
Posts: 8
Incept: 2018-01-02

Colorado
Report This As A Bad Post Add To Your Ignored User List
Yes, probably should have said millions. Does not include the millions this could cost cloud providers when they lose performance on current systems. Interesting that Intel engineers stated they were concerned about disabling this Kernel code for AMD even though they do not have the flaw in their chips.

I think they knew about this vulnerability when they made this design choice and know they dont have anywhere near the performance margin over AMD when the flag for this is disabled in the Kernel for AMD products. Add that to the price discount of buying AMD and I would think Intel is seriously concerned on where this might lead.
Tickerguy
Posts: 151187
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
IMHO on typical workloads AMD is likely faster with the mitigation in place.

In other words Intel cheated -- knowingly.

----------
Winding it down.
Limberlumber
Posts: 211
Incept: 2007-09-05

North Compton, CA
Report This As A Bad Post Add To Your Ignored User List
I'm not an "Techie" like you guys, but it sounds like somehow, somewhere I'm about to get another shaft-job...smiley
Also sounds like a good Long AMD/Short INTC "pairs trade".

----------
"Economic Progress one Funeral at a Time". - Steve Keen

Tickerguy
Posts: 151187
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
I think there's a pretty-clean argument that this should put Intel out of business. It won't, of course, but this is one of those deals where strict scrutiny is appropriate, especially considering WHERE those processors tend to be used and the utterly-insanely wide range of CPUs where this is at issue (like all of them of modern design, basically.)

----------
Winding it down.
Beango
Posts: 749
Incept: 2009-06-05

Report This As A Bad Post Add To Your Ignored User List
"This program has performed an illegal operation and will be allowed to continue"

I wonder what other shortcuts they've embedded in their chips.
Lurksalot
Posts: 72
Incept: 2011-08-10

Utah
Report This As A Bad Post Add To Your Ignored User List
OK, for the computer-challenged, if I got a techno-geek friend to help me, could he swap out an Intel chip for an AMD chip (I presume that would be nearly equivalent to having a new computer)?

More importantly, would that be of any benefit or, if I do business with any player (Amazon, Blue Cross, Citibank, etc.) whose information processing/storage activities utilize a cloud-based system (even temporarily) does that mean all my data could already be "up for grabs" even if I have protected my own computer?

My Mother who recently passed away in her late eighties never wanted me to do any online banking. Maybe she used her own kind of "Intel" to reading the writing on the wall.

Tickerguy
Posts: 151187
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Quote:
OK, for the computer-challenged, if I got a techno-geek friend to help me, could he swap out an Intel chip for an AMD chip (I presume that would be nearly equivalent to having a new computer)?

No. You'd need to swap the motherboard and probably the RAM.
Quote:
More importantly, would that be of any benefit or, if I do business with any player (Amazon, Blue Cross, Citibank, etc.) whose information processing/storage activities utilize a cloud-based system (even temporarily) does that mean all my data could already be "up for grabs" even if I have protected my own computer?

Yes. Actually, it's already up for grabs and has been for years. Only God knows how many people have figured it out and used it, but you can bet the TLAs have been all over this for a LONG period of time -- both foreign and domestic.

----------
Winding it down.
Mpinco
Posts: 44
Incept: 2009-03-12


Banned
Report This As A Bad Post Add To Your Ignored User List
In summary the threat horizon is Intel, virtualization and speculative execution that is not processed for security thereby potentially allowing access to kernel data. In addition this is all OSes as this is a hardware issue. Haven't seen discussion of vmware but would think they are also exposed.

As for adding more processors, performance doesn't always scale by simply adding hardware. In fact many applications hosted in a virtual environment don't scale with more CPU's and in fact, depending on hypervisor, can run slower with more logical units as scheduling overhead increases.

Popcorn time.
Emg
Posts: 123
Incept: 2012-11-20

Canada
Report This As A Bad Post Add To Your Ignored User List
Intel appears to have been taken over by SJWs in the last few years. I'm not surprised they're more concerned about 'diversity' than producing chips that don't have backdoors and security holes.

I'd been thinking about getting an AMD CPU for my next gaming PC because of Intel's lacklustre performance gains in recent years (my current gaming PC is still using a CPU from 2012), and after the events of the last few months, I think it's pretty certain that I will be.
Invis
Posts: 3
Incept: 2018-01-02

Report This As A Bad Post Add To Your Ignored User List
IFF this is confirmed to be as bad as it seems to be, and IFF this gets the coverage it deserves, I don't see how Intel will avoid replacing the silicon for at least Xeon v3+; it'll be too much of a PR ****-storm, especially now that AMD has something that competes. I suspect Intel will wrangle something on the desktop side.

I started building a dual-socket Xeon workstation (FreeBSD, E5-2630v3) a couple years ago. At the time there simply wasn't a performant alternative from AMD. I've obviously wasted my money on the 2nd CPU (pull from new server but not via any "official" channel, not installed yet), but I see no reason why Intel shouldn't replace the first with something that does the job they claimed it would do.

However, I don't expect this to get coverage (cheaper for Intel to pay for a cover-up), so when they wriggle out of everything I'll be having words with my insurers: in any rational world (yes, I know) a 30% loss of performance is called "broken", and since I didn't cause it my insurance should cover it. (I won't be trying to claim for the whole machine, just the mobo and CPU - the Noctua cooler is AMD compatible and everything else will work fine).

Needless to say, the machine I'm spec'ing for the Windows software I still need to run and that isn't fast enough in VirtualBox (Hello, Adobe? Will you please hurry up and support Linux already?), won't be Intel; from what I've read Coffee Lake doesn't have this problem, but damned if I'll take that risk. Besides, what other corners have Intel cut?
Tsherry
Posts: 1013
Incept: 2008-12-09

Spokane WA
Report This As A Bad Post Add To Your Ignored User List
Holy ****.

----------
Omne mendacium est.
Hcs
Posts: 1
Incept: 2018-01-02

maryland
Report This As A Bad Post Add To Your Ignored User List
Oh wow. first there is there Intel ME mess(which is still present in every single Intel CPU made) and now this. I agree this should take Intel out....unfortunately folks are resistant to change...especially when it costs them money. I do not have Karl's reach but I have been telling all around me who would listen that the "cloud" was BS....glad to see how easy it will be to articulate it now.
Flyanddive
Posts: 2501
Incept: 2008-10-10

Detroit
Report This As A Bad Post Add To Your Ignored User List
From what I have read, AMD performance will also be hit to patch the Intel exploit.

----------
"I've seen people go into real poverty trying to pretend to be rich."
Tickerguy
Posts: 151187
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
No.

----------
Winding it down.
Curbyourrisk
Posts: 4030
Incept: 2008-08-19

Farmingdale, NY
Report This As A Bad Post Add To Your Ignored User List
OK - NON-TECHHIE here and looking to buy a NEW laptop that won't break my bank

ANY SUGGESTIONS - I am looking for something I do not have to build myself.

Also - any suggestions for best malware/virus software?


----------
Time is up.

I hate to burst your bubble, but there is no Santa Claus, the tooth fairy does not exist and American justice does not involve the courts.
Wifi
Posts: 625
Incept: 2013-02-13

Seagrove Beach
Report This As A Bad Post Add To Your Ignored User List
inline
The Obvious Solution

----------
Hurricane Evacuation Plan
1.Grab Beer
2.Run Like Hell
Login Register Top Blog Top Blog Topics FAQ
Showing Page 1 of 3  First123Last