Intel chip massive security flaw

Want to talk about music hardware or software that doesn't include Reason?
RandyEspoda
Posts: 275
Joined: 14 Mar 2017

07 Jan 2018

grueser3 wrote:
06 Jan 2018

I too would be curious if anyone else has done a before and after test. I’m assuming the older the chip the worse the performance, but is it noticeable in the newer chips? Or nothing to worry about?
From what I can tell from other users, the newer chips seem to be impacted far less,
so especially if you have a 6-7-8th gen intel you shouldn't have to worry unless you're running sql and other databases in a home or business server setup, or run a lot of VM's.
Older chips seem to be impacted way worse, I've read a few 'worst scenario's' from some with an older chip.
Those users should be VERY wary. I have a FIRST gen i7, almost 10 years old, so I am definitely one of those.
I'm still waiting out the storm a bit and staying on top of it to see what will eventually be what.

Also mind that some AV applications are not 'compatible' with the patched kernel,
so those using one of said AV applications will have the patch either blocked or installed but then your system will crash (BSODs!).
For that all AV vendors are now catching up to release an updated version of their software that implements a registry key to make the AV app compliant with the new way of communicating with the kernel.
So before installing you should first check your AV brand for compatibility, and if needed update the software.

And all of that is STILL only regarding 'Meltdown'.
To confuse things even more, upcoming are still microupdates from the hardware vendors to 'start' mitigating 'Spectre', which will be a very long-winded progression, because the actual extent of its potential exploits is still mostly unknown.

This humongous catastrophe will probably give both vendors and software devs after-shocks for years.

That is why, no matter what comes out of this, my Win7 music machine is going full DMZ from now on.
Switching to Linux for the usual online tasks for good. I always said: 'never' Windows 10 in this house,
and now seems to be the time to stick to my word and execute this life-long Win10 ban. That OS is (still) just plain unacceptable for me.

So again, if you have a newer intel chip you can probably just install it and not notice any 'real' differences in your DAW (unless running VMs or SQL,...), but for older chips (specifically 'pre' Haswell and 'foremost' the 1st and 2nd gen i5/i7) you should be cautious because then a performance loss of 10-20% or more 'could' be very real, because remember that every interrupt from and to the audio interface is going to be affected, and older chips likely handle it less efficiently than the newer chips. Someone said it wouldn't matter for audio i/o because we would be talking '0.0000002' seconds and the likes, and with the patch it would still be something in the order of '0.0000202' sec, but again that is probably a bit worse for the first generation i5/i7s...so I'm not really convinced by that guy's statement...

RandyEspoda
Posts: 275
Joined: 14 Mar 2017

07 Jan 2018

starship wrote:
07 Jan 2018

Agreed with this sentiment. I have an old i5 760, just bought an i7 (860?) that can fit in its motherboard socket... and ... I don't even know if hyperthreading helps with that cpu. :) Does turning it on actually improve performance?

In the category of dumb impulse ebay purchases... especially in light of this new bug and/or I didn't even check to see if HT worked with that chip. :) lol
The i5 does not have HT, it is a plain quad-core, I too had the 750 first, now I have the 860 as well, also cause it is the only one that fits my current mobo...reluctant to upgrade it all ;)

Depends whether you're using a lot of parallel connections in the rack/mixer or not.
Hyperthread in reason works only by distributing the workload of the 'parallel' processes across the available threads.
That is because of the way reason handles serial vs. parallel processes in its environment.

So if you're using mainly devices in serial, then best leave it off, otherwise performance will severely drop.
And despite the many complaints and wining about it, it does work as intended.
You'll see the DSP meter go up in both cases though, because the added threads and distributed workload across them will increase the time needed to render, but remember that DSP is showing the time needed to render and is in no way an exact reflection of your actual 'cpu-load'.

F.e. with an old cpu you will have a higher cpu-load than with a new cpu, while both running the same level of DSP...
HT can make the CPU-LOAD better or worse for both, while actually utilizing 'more' DSP because of the extra threads 'needing' processor TIME to render.

When using HT in reason correctly (read: using mostly parallels and not too many serials), you'll see DSP go up BUT in your OS taskmanager you'll see your CPU-LOAD drop!
In case of wrong use (read: using mostly or (too) many serials and not that much parallels) you'll see both DSP and CPU-LOAD increase.



I always start with HT off in Reason, and depending on the direction the project goes I'll enable it when things get filled up.
The issue is that when DSP starts to fill, and you enable HT, in some cases you'll already be touching or nearing the max, and it becomes fairly useless because turning on DSP in reason will fill up the DSP meter a bar or two.

The trick in getting the 'most' from HT is to drop the sample buffer one or two notches when you enable it.
That way your DSP drops a bar or two, and you'll be greatly benefiting from the added power.
Usually you're already in the mixing stages so the added latency shouldn't matter anymore...

Because the thing is, with HT on it'll take 'longer' for the DSP meter to fully fill up than it would with HT off.
and dropping the buffer (and thus the DSP meter) a bit gives you the needed headroom to take advantage of the 'prolonged' DSP ride to the top.

Many people do not fully get that it works differently in reason and conclude that it doesn't work at all,
but it definitely does, given you understand that it does NOT work the same way as in other daws.

You'll only benefit from it given the mentioned circumstances.
Obey the rules when meeting them and your DSP mileage will increase untill it reaches 100%.

RandyEspoda
Posts: 275
Joined: 14 Mar 2017

08 Jan 2018

I am by now pretty much convinced that those with older chips needn't worry at all,
just skip the patch if you're on Win7 with an old cpu.

Several reasons for that:

1) Although MS has been 'leading' the way by providing an OS-wide patch that remarkably slows down your cpu, some software vendors have already issued patches for their software, like FireFox, Google, and some others. VERY soon a lot if not most others will most likely follow.
Although not a complete 100% fix, it is a fix not unlike any other security bug flaw or leak being patched, so above all we need to realize that very few of those patches are ever 100% fixes to begin with, and none of us needn't panic.

2) Even if you install the patch from MS, slowing down your cpu (and yes the old ones ARE pretty much noticably impacted),
unless you update your BIOS aswell with a provided patch from the vendor, again, it will still be only half a fix.
And do not expect older mobo's like the P7 or P8 series or something like that too ever receive any patch. Asus has already confirmed to only patch the Z99 and after, so everyone still running an Asus board before that is pretty much done for the trouble even if they install the M$ patch.
With an older cpu it is understandable that one needs every % squeezed out of it, and there is little need to panic by not installing the patch.

3) "On a standalone computer, the vulnerability only gives access to applications running on the same host.Other malware running as administrator or system can potentially do the same (with some limitations thanks to other security measures) ", writes Haber.
"This threat is not like WannaCry or other ransomware that can infect the computer when the user is not present (for example, a remote priviledged exploit) .A user must do something to run a new program, and run this program with sufficient rights before the vulnerability can be exploited This is the reason the threat is not critical to the average user and poses a much higher risk for cloud providers and virtualized environments A threat actor with the possibility to set up a new virtual machine can exploit this vulnerability to see other environments, including environments that are not his, that's the risk, not your iPhone and certainly not an Apple MacBook Pro. "

https://translate.google.com/translate? ... edit-text=

"Due to the nature of this exploit, the actual risk is extraordinarily small. There is really nothing to worry about."
https://discussions.apple.com/thread/8229091

4) "As of today, there are no known exploits in the wild impacting vulnerable Intel, AMD and ARM devices."
https://threatpost.com/experts-weigh-in ... es/129337/

"Despite these details, as of this writing no known exploits have yet been seen in the wild".
http://www.channelpostmea.com/2018/01/0 ... AMcYbZT.99

There are no known exploits as of today. Off course that will eventually change, but there's no rush, none at all, at least for us home users. Companies and entities holding sensitive and valuable info on servers is another story, which is why the hard- and software world are now rushing to get ahead of it.
The script kiddies will not be hacking your kernel in the next few weeks. In terms of years ? Well, yes, by then they will BUT unless you constantly surf porn sites you'll still be fine. We make music people, we don't surf shady crack sites and porn hubs, we make music and buy all of our software, we surf clean sites, so the risk will even then, be very very minimal. All software will eventually be patched anyway and it'll be treated like any other malicious exploit by the time the small time hackers get their hands on some workable tools. And the big time hackers will not be targeting your home pc but mostly the big data centers and webservers and the likes. Eventually this could lead to a new cpu-design but untill then there is little to actually fear for you and me.

Remember the ransomware hype ? Worldwide hysteria, and for what actually ??? As long as you use your common sense like you've always done and stay away from shady mails and sites, NOTHING happens. It has been YEARS since I've even had a frelling virus, and I surf daily, but always on secure and clean sites, and I always check the actual mail addresses for every single mail before even clicking on anything. Use your sense, don't just fall for the hype (again) and go running out in panic installing whatever you can get to fix it 'now now now'...it's just a fool's game for home users, and most of what you reel in on your pc is dependent on your surf behavior in the first place.

So to recap, for older cpu's you're relying on the software vendors anyway to partially fix the (VERY SMALL) risk to home user setups.
You can choose to install the slowing M$ Windows fix and lose up to 15-20% potentially, or wait it out, relax the frell down, and let the software vendors do their thing and patch their applications. Combined with good clean surfing behavior, as it should have always been, that will suffice for an old standalone pc that is still connected to do some surfing. The M$ fix is worthless anyway 'without' the microupdate from your motherboard vendor. Unless you surf the shady corners of the web the risk of being hacked will remain the same as it has been before. By the time exploits fully surface most software will be patched anyway, including firewalls, AV, malware, things like HIPS sandboxes, browsers, etc...
And if you do surf dangerous sites on a regular basis or you're just too paranoid, you can pull the cord and start using another pc for online connectivity, make the music station dedicated and isolated from the web.

The newer motherboards will get their microupdate and their cpus are far less affected than say a Lynnfield or Clarkdale, so they can just install it all and be done, never look back.
Last edited by RandyEspoda on 08 Jan 2018, edited 3 times in total.

RandyEspoda
Posts: 275
Joined: 14 Mar 2017

08 Jan 2018

Here's Haber actually saying the same thing, and confirming what I already suspected a while myself :
"In order to exploit this vulnerability, a malicious program needs to be executing on a host to compromise the flaw in the CPU and memory. Someone must install the application or daisy chain the request through a browser drive-by attack. This means web surfing to a web site that has been compromised or hosting malicious code. Good cyber security hygiene includes some form of application control, privileged access, and anti-malware defenses. These, when operating properly, will stop the malicious program in the first place that exploits the vulnerability."
https://www.beyondtrust.com/blog/intel- ... ot-affect/
A lot of fuss over this, which is completely valid in the server and corporate realms, a catastrophe it is, but hardly an issue for home users.
We should be more worried about ransomware type stuff we've already been dealing with for years.
Malicious sites are already being blocked by default by most if not all AV and malware applications,
and when surfing consciously it is RARE that you should even come across one at all.
Other software is equally going to be patched in the coming period so actually we're being forced into panicking when there is hardly anything to panick about.

sot
Posts: 88
Joined: 03 May 2015

08 Jan 2018

If it was another company it would be dead now and intel would take advantage of this in a second, it seems unreal that they didn't knew these hardware flaws for so many years, i'm very disappointed with intel and i'm interested in computers since my first one c64.
:reason: 10

RandyEspoda
Posts: 275
Joined: 14 Mar 2017

08 Jan 2018

sot wrote:
08 Jan 2018
If it was another company it would be dead now and intel would take advantage of this in a second, it seems unreal that they didn't knew these hardware flaws for so many years, i'm very disappointed with intel and i'm interested in computers since my first one c64.
Let me explain it like this :

if we (or intel for that matter) would be aware of 'every' security flaw (like the current one(s) ) that truly exists in our cpus as we speak most users and companies would literally freak the f* out. This is one of the 'potential' risks within the architecture of these cpu's that eventually got figured out and thrown in the open. But in truth there are most likely many more we still aren't aware of.

In other words relax, the media makes it sound worse than it is (for us users).
It IS as worse as they say for 'companies' and server realms, but for us it is not even as bad as most ransomware.
Intel f* up, and they probably know it. The only reason I can see 'why' they waited a year to go public about it is because they were planning their moves to try and make 'sure' they come out of their pickle ahead of it. Wouldn't you ?

This is def. gonna hurt intel very badly, question is: what do they have planned to save their *sses ? Must be something they were brewing during that whole year of silence...

grueser3
Posts: 64
Joined: 03 Jul 2016

08 Jan 2018

Randy, you are a wealth of knowledge, thanks for sharing.

User avatar
starship
RE Developer
Posts: 194
Joined: 04 Sep 2015

08 Jan 2018

RandyEspoda wrote:
07 Jan 2018

The i5 does not have HT, it is a plain quad-core, I too had the 750 first, now I have the 860 as well, also cause it is the only one that fits my current mobo...reluctant to upgrade it all ;)
........
OK! That helps a lot. Btw, I already knew my i5 wasn't HT. ;) haha... That's why I bought the i7... but I regretted it b/c what I really need is a new AMD... Especially if it won't always help. Thanks! And thanks for the details on the bug too.

User avatar
joeyluck
Moderator
Posts: 11029
Joined: 15 Jan 2015

16 Jan 2018

Apple just released a supplemental security update to 10.13.2 (Which had already supposedly addressed Meltdown).
Looks like some patching for Spectre.
Available for: macOS High Sierra 10.13.2

Description: macOS High Sierra 10.13.2 Supplemental Update includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

We would like to acknowledge Jann Horn of Google Project Zero; and Paul Kocher in collaboration with Daniel Genkin of University of Pennsylvania and University of Maryland, Daniel Gruss of Graz University of Technology, Werner Haas of Cyberus Technology, Mike Hamburg of Rambus (Cryptography Research Division), Moritz Lipp of Graz University of Technology, Stefan Mangard of Graz University of Technology, Thomas Prescher of Cyberus Technology, Michael Schwarz of Graz University of Technology, and Yuval Yarom of University of Adelaide and Data61 for their assistance.

Post Reply
  • Information
  • Who is online

    Users browsing this forum: Google [Bot] and 13 guests