• Competitor rules

    Please remember that any mention of competitors, hinting at competitors or offering to provide details of competitors will result in an account suspension. The full rules can be found under the 'Terms and Rules' link in the bottom right corner of your screen. Just don't mention competitors in any way, shape or form and you'll be OK.

Intel bug incoming? Meltdown and Spectre exploits

smilingcrow said:
I really do feel the need to read the current and any future AMD communications on this issue from the horse's mouth. The 'near zero' BS makes me want to keep a close eye on what they say. YMMV.
Click to expand...

If you care about security you should ALWAYS keep an eye on future security information because there will always be new attacks, that is the way the world goes. Again back the worm example, just because MS say they've patched whatever it is so that the blaster worm can no longer attack computers, they made no such claim that they were safe from all worms in the future, nor because the blaster worm was dealt with does that mean users should go around clicking on every link and install everything every web page wants you to. You still should keep up to date on security.

smilingcrow said:
I only want to hear what the current state is so that is a simple binary answer. YES there are exploits that we are aware of or NO there aren't.
It's that straightforward and anything else is speculation on the future which is a separate issue.
Click to expand...

So which is it, first post I quoted you seem almost upset about the BS answer that you need to keep an eye on future security, but then you want to know the current state in which I directly quoted for you AMD's answer earlier to which you keep saying it isn't enough.

THe current variant 2 attacks DO NOT WORK on AMD processors, no one has been able to make them work, but other variant 2 TYPE attacks written in the future may possibly find some path, a different path to all the types people have tried so far.
They've made the direct statements you want, it's been pointed out to you but then you post again saying you need something else.... that you've already been supplied with.

AMD is not vulnerable to variant 3 or any current variant 2 attacks. Variant 2 is non specific in implementation so it's possible that a future attack could work, variant 3 is very specific type of attack and it's known AMD is not vulnerable to that. Also because of how variant 2 attacks work and because of AMDs architectural implementation there is also extremely little risk in the future of variant 2 attacks happening, hence, near zero but not zero. Intel is 100% vulnerable to variant 2 attacks already written, AMD is 0% vulnerable to variant 2 attacks already written. Intel will be very vulnerable to future variant 2 attacks, AMD will be exceptionally unlikely to be vulnerable to such attacks.

I don't know how anyone can read all the information out there and have anything but a massive increase in confidence in AMD security while at the same time a massive decrease in confidence in Intel security.
 
smilingcrow said:
'Near zero' is a BS PR term with no meaning. They can only report on the current situation which is a binary Yes or No. Nearly No is plain ridiculous.
I'm looking at building a Ryzen system in the next fortnight and 'near zero' doesn't fill me with complete confidence so I will have to read their statements in more detail and get a mystic to interpret them; "Near Zero" is a very Zen like statement! :)
Click to expand...

Regarding Meltdown - the root cause is incorrect speculative execution, which has been found in almost all Intel CPUs going back at least a decade. AMD (who should really know how their hardware works better than researchers, and has been admitted as such in the research papers) claim their CPUs don't have this bug. This actually should be one of the easier aspects to confirm.

Regarding Spectre - the root cause is that even when done correctly, speculative execution can be abused in a way to leak information between userland processes - so all modern high performance CPUs are affected even if they have no bugs. There are two variants of this vulnerability, and it has been unclear here which AMD processor families are affected by which variant.
 
drunkenmaster said:
"Repeating the same stuff"
Click to expand...
You are missing the point that I'm making so don't waste your time repeating yourself.
I am simply saying that the AMD response contained a meaningless PR term that raises a flag and no more.
I get the big picture and it looks good for AMD but I wish they hadn't used such a stupid phrase as it isn't helpful at times like these.
 
drunkenmaster said:
If you care about security you should ALWAYS keep an eye on future security information because there will always be new attacks, that is the way the world goes. Again back the worm example, just because MS say they've patched whatever it is so that the blaster worm can no longer attack computers, they made no such claim that they were safe from all worms in the future, nor because the blaster worm was dealt with does that mean users should go around clicking on every link and install everything every web page wants you to. You still should keep up to date on security.



So which is it, first post I quoted you seem almost upset about the BS answer that you need to keep an eye on future security, but then you want to know the current state in which I directly quoted for you AMD's answer earlier to which you keep saying it isn't enough.

THe current variant 2 attacks DO NOT WORK on AMD processors, no one has been able to make them work, but other variant 2 TYPE attacks written in the future may possibly find some path, a different path to all the types people have tried so far.
They've made the direct statements you want, it's been pointed out to you but then you post again saying you need something else.... that you've already been supplied with.

AMD is not vulnerable to variant 3 or any current variant 2 attacks. Variant 2 is non specific in implementation so it's possible that a future attack could work, variant 3 is very specific type of attack and it's known AMD is not vulnerable to that. Also because of how variant 2 attacks work and because of AMDs architectural implementation there is also extremely little risk in the future of variant 2 attacks happening, hence, near zero but not zero. Intel is 100% vulnerable to variant 2 attacks already written, AMD is 0% vulnerable to variant 2 attacks already written. Intel will be very vulnerable to future variant 2 attacks, AMD will be exceptionally unlikely to be vulnerable to such attacks.

I don't know how anyone can read all the information out there and have anything but a massive increase in confidence in AMD security while at the same time a massive decrease in confidence in Intel security.
Click to expand...

Very well put, smilingcrow take note. I have no reason to doubt that AMD have been entirely honest with us. If they said there is 0% risk of variant 2 ever affecting them in the future, then the irony is that would be dishonest as it's not technically correct. In fact, you are probably more likely to be struck by lightning or win the lottery than variant 2 affecting your Ryzen CPU in the future due to the more secure and different to Intel branch prediction.
 
smilingcrow said:
You are missing the point that I'm making so don't waste your time repeating yourself.
I am simply saying that the AMD response contained a meaningless PR term that raises a flag and no more.
I get the big picture and it looks good for AMD but I wish they hadn't used such a stupid phrase as it isn't helpful at times like these.
Click to expand...

This is getting silly now, and this will be my last reply. Your first post said it was PR bull, actually lets quote it.

If they had said that no vulnerabilities have currently been found then that is clear and doesn't claim that they might not appear in the future.
Click to expand...

So I replied to directly dispute this because this was just the small part of the statement made including the term near zero

Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
Click to expand...

That is exactly what you said was missing and made the term meaningless. SO they said exactly what you said you wanted them to say... but that wasn't enough. When this was pointed out you said again it was meaningless PR term, that it is a binary situation and that you'd now have to look out at future security updates.... which is all nonsense.

First of all lets dispel the crux of your argument, near zero isn't a PR term, you're just saying it is. Near zero means nothing other than a number extremely close to zero, because it isn't a no risk situation, but the risk is exceptionally small. Again as I quoted to you twice now, included with that term was the sentence that no variant 2 attack has been shown to work on AMD processors. So we have the 'current' state that you asked for again after these posts, you have the sensible truth about the future, that maybe a variant 2 attack will be found that works in the future but due to their architecture the chance of that is... near zero.

Here's the thing, you can't calculate risk and what term did you want them to use about future risk, 0.02, 0.1, 0.023947590643% chance? The fact is they don't know the number but they can safely say it's..... near zero. IT's not a PR term, it's not meaningless, it's not marketing, it's a sensible term to describe a risk that can't be quantified except in saying that it's extremely unlikely to occur.

At this point I think you're purposefully talking in circles with no real point except to wind people up.
 
billysielu said:
Interesting read:
https://lkml.org/lkml/2017/11/21/356
Click to expand...

Scenario: a public toilet in a small town is in use for decades, and one day the council decides that it has to close it at night to save costs. The toilet door is locked at night. A security researcher discovers that the door lock is weak and easily forced.

At the town hall the local councillor is meeting some people to work out what to do. The builder shakes his head and says they're not sure how to fix it without taking a closer look - the problem could be the lock itself, but perhaps the door jamb is worn or rotten and needs to be replaced, maybe even the door itself needs replacing. The security contractor says - nah, this is easy - just brick up the doorway!
 
jigger said:
So you want AMD to essentially not be 100% truthful or give an answer on assumption.
Click to expand...
Go back to my original post where I said that at times like these it is helpful to not use ambiguous phrases such as 'Near zero'.
Its really quite that simple and disagree as much as you all like but I feel that is unhelpful.
I'm not asking AMD to predict the future as some drone on about. :rolleyes:
 
smilingcrow said:
This issue is O/S agnostic.
My focus is on what AMD are actually saying.
Click to expand...

Bear in mind that Variant 3 (Meltdown) is where the root cause is erroneous behaviour (a bug) which is known to be in Intel CPUs, and not in AMD CPUs, and the consequences of exploitation are severe, not to mention the known performance impact of the patch to mitigate the bug.

The other two variants are not caused by CPU bugs, but are side effects of correctly performed speculative execution and so affect pretty much all CPUs. It's much more difficult than Meltdown to exploit, and the consequences are more limited. This is where AMD are claiming near-zero risk, which is consistent with "low likelihood" x "limited impact".
 
smilingcrow said:
Go back to my original post where I said that at times like these it is helpful to not use ambiguous phrases such as 'Near zero'.
Its really quite that simple and disagree as much as you all like but I feel that is unhelpful.
I'm not asking AMD to predict the future as some drone on about. :rolleyes:
Click to expand...

Okay, so tell us what term AMD should have used instead of near zero, be specific.

Also no, your original post is this

In the current climate of looking for suspicion anywhere I think they have used an unnecessarily ambiguous phrase there with 'near zero'.
If they had said that no vulnerabilities have currently been found then that is clear and doesn't claim that they might not appear in the future.
But to say 'near zero' has me concerned as that can be typical PR speak.
Click to expand...

You literally quantified the 'ambiguous' sentence by saying if they had said no vulnerabilities have currently been found...... except the very first reply to you quoted AMD saying exactly that along with the near zero statement.

But again that wasn't enough for you and you've gone in circles. This term isn't good enough unless(if) they say they have no current vulnerabilities... oh, they did say that, then it's a meaningless PR term because I was wrong but can't admit it and yeah, I'll say it's a binary situation(it's not) and when people explain why it's not binary I'll just accuse them of repeating themselves, etc, etc.

Actually not only name a term that isn't near zero, but explain why near zero is meaningless?
 
AmateurExpert said:
Bear in mind that Variant 3 (Meltdown) is where the root cause is erroneous behaviour (a bug) which is known to be in Intel CPUs, and not in AMD CPUs, and the consequences of exploitation are severe, not to mention the known performance impact of the patch to mitigate the bug.

The other two variants are not caused by CPU bugs, but are side effects of correctly performed speculative execution and so affect pretty much all CPUs. It's much more difficult than Meltdown to exploit, and the consequences are more limited. This is where AMD are claiming near-zero risk, which is consistent with "low likelihood" x "limited impact".
Click to expand...


Just to highlight why AMD are saying this. The currently known ways to exploit speculative execution are shown to work on Intel chips and DON'T work on AMD chips. It's not that it's limited impact or anything, it's that due to (apparently from the explanation posted above) the method of attack used by people in variant 2 works due to a specific architecture trait in Intel cpus that is not there in AMD cpus.

It's not that it's just harder to use variant 2, as of yet no one has proved it can be done on AMD cpus and the near zero risk is because AMD can't claim that it will never be cracked on their architecture in the future.

The variant 2 attack, when it works, has potential for higher harm, it's just that as of yet no one can do it on AMD chips.
 
smilingcrow said:
Go back to my original post where I said that at times like these it is helpful to not use ambiguous phrases such as 'Near zero'.
Its really quite that simple and disagree as much as you all like but I feel that is unhelpful.
I'm not asking AMD to predict the future as some drone on about. :rolleyes:
Click to expand...

It is very simple. Not sure what you're still struggling with.
 
smilingcrow said:
You are missing the point that I'm making so don't waste your time repeating yourself.
I am simply saying that the AMD response contained a meaningless PR term that raises a flag and no more.
I get the big picture and it looks good for AMD but I wish they hadn't used such a stupid phrase as it isn't helpful at times like these.
Click to expand...

Agreed "near zero" has been polluted by PR - but it is valid to state that a risk is low. It's much better than implying that "everyone's affected!!1!1!one" when in fact there are two separate issues, the more serious of which is caused by a bug in Intel hardware.
 
Rroff said:
A more traditional way of putting it would have been "no known vulnerabilities".
Click to expand...

This is what AMD said specific to variant 2

Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
Click to expand...

Sorry but that is very clear, there are no known vulnerabilities to variant 2(second sentence), and due to the difference in architecture to Intel who are currently vulnerable to it we believe there is a miniscule or near zero risk of exploitation in the future.

But this is in context where everyone apparently is now questioning the safety of speculative execution in security terms. It's a new type of attack yet AMD still think it's almost impossible they'll become vulnerable to it in the future, but they very clearly say right there along with it that none of the current attacks work against AMD architectures.

What people seem to want is AMD to say they aren't vulnerable to known attacks... yet that is what they said, but also say they won't ever be vulnerable to any future variant 2 attacks, despite them being new and simply not knowing how future attacks might proceed, which is crazy. However again as highlighted above (non predictable locations for data as opposed to Intel), it's going to be almost impossible in the future.

So in the context of current vulnerabilities they already said what you're suggesting, on future vulnerability again what should they have replaced near zero with?
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom