AMD

AMD Is Releasing Spectre Firmware Updates To Fix CPU Vulnerabilities (theverge.com) 74

An anonymous reader quotes a report from The Verge: AMD's initial response to the Meltdown and Spectre CPU flaws made it clear "there is a near zero risk to AMD processors." That zero risk doesn't mean zero impact, as we're starting to discover today. "We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat," says Mark Papermaster, AMD's chief technology officer. AMD is making firmware updates available for Ryzen and EPYC owners this week, and the company is planning to update older processors "over the coming weeks." Like Intel, these firmware updates will be provided to PC makers, and it will be up to suppliers to ensure customers receive these. AMD isn't saying whether there will be any performance impacts from applying these firmware updates, nor whether servers using EPYC processors will be greatly impacted or not. AMD is also revealing that its Radeon GPU architecture isn't impacted by Meltdown or Spectre, simply because those GPUs "do not use speculative execution and thus are not susceptible to these threats." AMD says it plans to issue further statements as it continues to develop security updates for its processors.
Businesses

Senator Wants Apple To Answer Questions on Slowing iPhones (reuters.com) 169

The chairman of a U.S. Senate committee overseeing business issues asked Apple to answer questions about its disclosure that it slowed older iPhones with flagging batteries, Reuters reported on Wednesday, citing a letter. From the report: The California-based company apologized over the issue on Dec. 28, cut battery replacement costs and said it will change its software to show users whether their phone battery is good. Senator John Thune, a Republican who chairs the Commerce, Science and Transportation Committee, said in a Jan. 9 letter to Apple Chief Executive Officer Tim Cook that "the large volume of consumer criticism leveled against the company in light of its admission suggests that there should have been better transparency."
Google

'The Web is Not Google, and Should Not be Just Google': Developers Express Concerns About AMP (ampletter.org) 99

A group of prominent developers published an open-letter on Tuesday, outlining their deep concerns about Accelerated Mobile Pages, a project by Google that aims to improve user experience of the Web. Google services already dominate the Web, and the scale at which AMP is growing, it could further reinforce Google's dominance of the Web, developers wrote. The letter acknowledges that web pages could be slow at times, but the solutions out there to address them -- AMP, Facebook's Instant Articles, Apple News -- are creating problems of their own, developers say. From the letter: Search engines are in a powerful position to wield influence to solve this problem. However, Google has chosen to create a premium position at the top of their search results (for articles) and a "lightning" icon (for all types of content), which are only accessible to publishers that use a Google-controlled technology, served by Google from their infrastructure, on a Google URL, and placed within a Google controlled user experience. The AMP format is not in itself, a problem, but two aspects of its implementation reinforce the position of Google as a de facto standard platform for content, as Google seeks to drive uptake of AMP with content creators: Content that "opts in" to AMP and the associated hosting within Google's domain is granted preferential search promotion, including (for news articles) a position above all other results. When a user navigates from Google to a piece of content Google has recommended, they are, unwittingly, remaining within Google's ecosystem.

If Google's objective with AMP is indeed to improve user experience on the Web, then we suggest some simple changes that would do that while still allowing the Web to remain dynamic, competitive and consumer-oriented: Instead of granting premium placement in search results only to AMP, provide the same perks to all pages that meet an objective, neutral performance criterion such as Speed Index. Publishers can then use any technical solution of their choice. Do not display third-party content within a Google page unless it is clear to the user that they are looking at a Google product. It is perfectly acceptable for Google to launch a "news reader," but it is not acceptable to display a page that carries only third party branding on what is actually a Google URL, nor to require that third party to use Google's hosting in order to appear in search results. We don't want to stop Google's development of AMP, and these changes do not require that.

Microsoft

Microsoft Details Performance Impact of Spectre and Meltdown Mitigations on Windows Systems (microsoft.com) 236

Microsoft's Windows chief Terry Myerson on Tuesday outlined how Spectre and Meltdown firmware updates may affect PC performance. From a blog post: With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don't expect most users to notice a change because these percentages are reflected in milliseconds.

With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance. With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.

Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.

For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel.

Graphics

Nvidia's GeForce Now Windows App Transforms Your Cheap Laptop Into a Gaming PC (theverge.com) 100

The GeForce Now game streaming service that Nvidia announced for the Mac last year is finally coming to Windows PCs. According to their website, the service lets you stream high-resolution games from your PC to your Mac or Windows PC that may or may not have the power to run the games natively. Starting this week, beta users of the GeForce Now Mac client will be able to install and run the Windows app. Tom Warren reports via The Verge: I got a chance to play with an early beta of the GeForce Now service on a $400 Windows PC at CES today. My biggest concerns about game streaming services are latency and internet connections, but Nvidia had the service setup using a 50mbps connection on the Wynn hotel's Wi-Fi. I didn't notice a single issue, and it honestly felt like I was playing Player Unknown's Battlegrounds directly on the cheap laptop in front of me. If I actually tried to play the game locally, it would be impossible as the game was barely rendering at all or at 2fps. Nvidia is streaming these games from seven datacenters across the US, and some located in Europe. I was playing in a Las Vegas casino from a server located in Los Angeles, and Nvidia tells me it's aiming to keep latency under 30ms for most customers. There's obviously going to be some big exceptions here, especially if you don't live near a datacenter or your internet connectivity isn't reliable. The game streaming works by dedicating a GPU to each customer, so performance and frame rates should be pretty solid. Nvidia is also importing Steam game collections into the GeForce Now service for Windows, making it even more intriguing for PC gamers who are interested in playing their collection on the go on a laptop that wouldn't normally handle such games.
Microsoft

Microsoft's Meltdown and Spectre Patch Is Bricking Some AMD PCs (betanews.com) 298

Mark Wilson writes: As if the Meltdown and Spectre bug affecting millions of processors was not bad enough, the patches designed to mitigate the problems are introducing issues of their own. Perhaps the most well-known effect is a much-publicized performance hit, but some users are reporting that Microsoft's emergency patch is bricking their computers. We've already seen compatibility issues with some antivirus tools, and now some AMD users are reporting that the KB4056892 patch is rendering their computer unusable. A further issue -- error 0x800f0845 -- means that it is not possible to perform a rollback.
Google

OpenBSD's De Raadt Pans 'Incredibly Bad' Disclsoure of Intel CPU Bug (itwire.com) 366

troublemaker_23 quotes ITWire: Disclosure of the Meltdown and Spectre vulnerabilities, which affect mainly Intel CPUs, was handled "in an incredibly bad way" by both Intel and Google, the leader of the OpenBSD project Theo de Raadt claims. "Only Tier-1 companies received advance information, and that is not responsible disclosure -- it is selective disclosure," De Raadt told iTWire in response to queries. "Everyone below Tier-1 has just gotten screwed."
In the interview de Raadt also faults intel for moving too fast in an attempt to beat their competition. "There are papers about the risky side-effects of speculative loads -- people knew... Intel engineers attended the same conferences as other company engineers, and read the same papers about performance enhancing strategies -- so it is hard to believe they ignored the risky aspects. I bet they were instructed to ignore the risk."

He points out this will make it more difficult to develop kernel software, since "Suddenly the trickiest parts of a kernel need to do backflips to cope with problems deep in the micro-architecture." And he also complains that Intel "has been exceedingly clever to mix Meltdown (speculative loads) with a separate issue (Spectre). This is pulling the wool over the public's eyes..."

"It is a scandal, and I want repaired processors for free."
Biotech

The Orange Goo Used In Everything From Armor To Football Helmets (cnn.com) 96

dryriver writes: CNN has a story about a slimy, gooey orange gel developed by British company D3O as far back as 1999 that is very soft and fluid-like normally, but that hardens immediately when it receives an impact: It's a gel that acts as both a liquid and a solid. When handled slowly the goo is soft and flexible but the moment it receives an impact, it hardens. It's all thanks to the gel's shock-absorbing properties... Felicity Boyce, a material developer at D3O, told CNN, "if you hit it with great force, it behaves more like a solid that's absorbing the shock and none of that impact goes through my hand."

American football has become a huge market for the British company, where the gel is incorporated in padding and helmets to absorb the impact of any hits a player receives. D3O claims it can reduce blunt impact by 53% compared to materials like foam. The material can also be put inside running shoes to improve performance and reduce the risk of foot injury. Usain Bolt ran with D3O gel insoles in his shoes at the 2016 Rio Olympics.

The material is being tested in body armor. "While we don't have a material that can stop a bullet, we do have a material that can reduce the amount of trauma that your body would experience if you got shot." There are also soft smartphone casings using the gel that harden when the phone is dropped and hits a hard surface.

Intel

Linus Torvalds Says Intel Needs To Admit It Has Issues With CPUs (itwire.com) 271

troublemaker_23 shares an article from ITWire: Linux creator Linus Torvalds has had some harsh words for Intel in the course of a discussion about patches for two bugs that were found to affect most of the company's processors... Torvalds was clearly unimpressed by Intel's bid to play down the crisis through its media statements, saying: "I think somebody inside of Intel needs to really take a long hard look at their CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed... Or is Intel basically saying 'we are committed to selling you shit forever and ever, and never fixing anything'?" he asked. "Because if that's the case, maybe we should start looking towards the ARM64 people more."
Elsewhere Linus told ZDNet that "there's no one number" for the performance drop users will experience after patches. "It will depend on your hardware and on your load. I think 5 percent for a load with a noticeable kernel component (e.g. a database) is roughly in the right ballpark. But if you do micro-benchmarks that really try to stress it, you might see double-digit performance degradation. A number of loads will spend almost all their time in user space, and not see much of an impact at all."
Intel

Intel Hit With Three Class-Action Lawsuits Over Meltdown and Spectre Bugs (theguardian.com) 217

An anonymous reader quotes a report from The Guardian: Intel has been hit with at least three class-action lawsuits over the major processor vulnerabilities revealed this week. Three separate class-action lawsuits have been filed by plaintiffs in California, Oregon and Indiana seeking compensation, with more expected. All three cite the security vulnerability and Intel's delay in public disclosure from when it was first notified by researchers of the flaws in June. Intel said in a statement it "can confirm it is aware of the class actions but as these proceedings are ongoing, it would be inappropriate to comment." The plaintiffs also cite the alleged computer slowdown that will be caused by the fixes needed to address the security concerns, which Intel disputes is a major factor. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," Intel said in an earlier statement.
Operating Systems

Eben Upton Explains Why Raspberry Pi Isn't Vulnerable To Spectre Or Meltdown (raspberrypi.org) 116

Raspberry Pi founder and CEO Eben Upton says the Raspberry Pi isn't susceptible to the "Spectre" or "Meltdown" vulnerabilities because of the particular ARM cores they use. "Spectre allows an attacker to bypass software checks to read data from arbitrary locations in the current address space; Meltdown allows an attacker to read data from arbitrary locations in the operating system kernel's address space (which should normally be inaccessible to user programs)," Upton writes. He goes on to provide a "primer on some concepts in modern processor design" and "illustrate these concepts using simple programs in Python syntax..."

In conclusion: "Modern processors go to great lengths to preserve the abstraction that they are in-order scalar machines that access memory directly, while in fact using a host of techniques including caching, instruction reordering, and speculation to deliver much higher performance than a simple processor could hope to achieve," writes Upton. "Meltdown and Spectre are examples of what happens when we reason about security in the context of that abstraction, and then encounter minor discrepancies between the abstraction and reality. The lack of speculation in the ARM1176, Cortex-A7, and Cortex-A53 cores used in Raspberry Pi render us immune to attacks of the sort."
Google

Google Says CPU Patches Cause 'Negligible Impact On Performance' With New 'Retpoline' Technique (theverge.com) 120

In a post on Google's Online Security Blog, two engineers described a novel chip-level patch that has been deployed across the company's entire infrastructure, resulting in only minor declines in performance in most cases. "The company has also posted details of the new technique, called Retpoline, in the hopes that other companies will be able to follow the same technique," reports The Verge. "If the claims hold, it would mean Intel and others have avoided the catastrophic slowdowns that many had predicted." From the report: "There has been speculation that the deployment of KPTI causes significant performance slowdowns," the post reads, referring to the company's "Kernel Page Table Isolation" technique. "Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance." "Of course, Google recommends thorough testing in your environment before deployment," the post continues. "We cannot guarantee any particular performance or operational impact."

Notably, the new technique only applies to one of the three variants involved in the new attacks. However, it's the variant that is arguably the most difficult to address. The other two vulnerabilities -- "bounds check bypass" and "rogue data cache load" -- would be addressed at the program and operating system level, respectively, and are unlikely to result in the same system-wide slowdowns.

Intel

By Next Week, Intel Expects To Issue Updates To More Than 90% of Processor Products Introduced Within Past Five Years (intel.com) 289

Intel said on Thursday that by next week it expects to have patched 90 percent of its processors that it released within the last five years, making PCs and servers "immune" from both the Spectre and Meltdown exploits. The company adds: Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.

Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact. System updates are made available by system manufacturers, operating system providers and others.

Intel

Intel Responds To Alleged Chip Flaw, Claims Effects Won't Significantly Impact Average Users (hothardware.com) 375

An anonymous reader quotes a report from Hot Hardware: The tech blogosphere lit up yesterday afternoon after reports of a critical bug in modern Intel processors has the potential to seriously impact systems running Windows, Linux and macOS. The alleged bug is so severe that it cannot be corrected with a microcode update, and instead, OS manufacturers are being forced to address the issue with software updates, which in some instances requires a redesign of the kernel software. Some early performance benchmarks have even suggested that patches to fix the bug could result in a performance hit of as much as 30 percent. Since reports on the issues of exploded over the past 24 hours, Intel is looking to cut through the noise and tell its side of the story. The details of the exploit and software/firmware updates to address the matter at hand were scheduled to go live next week. However, Intel says that it is speaking out early to combat "inaccurate media reports."

Intel acknowledges that the exploit has "the potential to improperly gather sensitive data from computing devices that are operating as designed." The company further goes on state that "these exploits do not have the potential to corrupt, modify or delete data." The company goes on to state that the "average computer user" will be negligibly affected by any software fixes, and that any negative performance outcomes "will be mitigated over time." In a classic case of trying to point fingers at everyone else, Intel says that "many different vendors' processors" are vulnerable to these exploits.
You can read the full statement here.
Bug

'Kernel Memory Leaking' Intel Processor Design Flaw Forces Linux, Windows Redesign (theregister.co.uk) 416

According to The Register, "A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug." From the report: Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in this month's Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December. Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features -- specifically, PCID -- to reduce the performance hit. Similar operating systems, such as Apple's 64-bit macOS, will also need to be updated -- the flaw is in the Intel x86 hardware, and it appears a microcode update can't address it. It has to be fixed in software at the OS level, or buy a new processor without the design blunder. Details of the vulnerability within Intel's silicon are under wraps: an embargo on the specifics is due to lift early this month, perhaps in time for Microsoft's Patch Tuesday next week. Indeed, patches for the Linux kernel are available for all to see but comments in the source code have been redacted to obfuscate the issue. The report goes on to share some details of the flaw that have surfaced. "It is understood the bug is present in modern Intel processors produced in the past decade," reports The Register. "It allows normal user programs -- from database applications to JavaScript in web browsers -- to discern to some extent the contents of protected kernel memory. The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI."
Iphone

Apple's iPhones Were the Best-Selling Tech Product of 2017 (usatoday.com) 88

An anonymous reader quotes USA Today: Once again, the iPhone was the best-selling tech product of 2017, selling more units than the No. 2 through No. 5 products combined. According to Daniel Ives, an analyst with GBH Insights, who compiled the chart for USA TODAY, Apple will sell 223 million iPhones in 2017, up from 211 million phones the previous year... Apple took a risk in introducing three new iPhones for 2017...but all in all, Apple sold more iPhones total, although fewer than the peak year of 2015, when it moved 230 million units. (That was the year of the iPhone 6...)

The global market share for smartphones is dominated by Google's Android system, which owns 85%, compared to 15% for Apple's iOS, according to researcher IDC. But the iPhone is the most popular smartphone brand, having opened a huge gap compared to No. 2 Samsung's Galaxy phones at 33 million. However Samsung, which has a broader portfolio of phones, sells more overall. Indeed, in 2016, Samsung shipped over 320 million phones, most lower-priced phones sold outside the United States, like the J3, On8 and A9 lines.

Apple's strong performance through September earned CEO Tim Cook a $9.3 million bonus on top of his $3.06 million salary -- plus vesting of $89.2 million more in Apple stock. Here's the complete list of the five best-selling tech products of 2017:
  • Apple iPhones: 223 million
  • Samsung Galaxy S8 and Note 8 smartphones: 33 million
  • Amazon Echo Dot connected speakers: 24 million
  • Apple Watch: 20 million
  • Nintendo Switch video game console: 15 million

Iphone

Apple Apologizes For iPhone Slowdown Drama, Will Offer $29 Battery Replacements (theverge.com) 254

An anonymous reader quotes a report from The Verge: Apple just published a letter to customers apologizing for the "misunderstanding" around older iPhones being slowed down, following its recent admission that it was, in fact, slowing down older phones in order to compensate for degrading batteries. "We know that some of you feel Apple has let you down," says the company. "We apologize." Apple says in its letter that batteries are "consumable components," and is offering anyone with an iPhone 6 or later a battery replacement for $29 starting in late January through December 2018 -- a discount of $50 from the usual replacement cost. Apple's also promising to add features to iOS that provide more information about the battery health in early 2018, so that users are aware of when their batteries are no longer capable of supporting maximum phone performance.
Cellphones

HTC, Motorola Say They Don't Slow Old Phones Like Apple Does (theverge.com) 133

After Apple confirmed last week that it reduces the performance of older iPhones to improve battery life, it has left many wondering whether or not other smartphone manufacturers do the same. HTC and Motorola are the two most recent OEMs to say they don't throttle their phones' processor speeds as their batteries age. The Verge reports: In emails to The Verge, both companies said they do not employ similar practices with their smartphones. An HTC spokesperson said that designing phones to slow down their processor as their battery ages "is not something we do." A Motorola spokesperson said, "We do not throttle CPU performance based on older batteries." The Verge also reached out to Google, Samsung, LG, and Sony for comment on whether their phone processors are throttled in response to aging batteries. A Sony spokesperson said a response would be delayed by the holidays, and a Samsung spokesperson said the company was looking into it. The responses begin to clarify whether or not throttling processor speeds is typical behavior in smartphones -- as of last week, we knew that Apple was doing it, but not whether it was common practice among competitors. HTC and Motorola's responses start to suggest that it's not.
Government

Net Neutrality Complaints Rise Amid FCC Repeal (axios.com) 183

An anonymous reader shares a report: Internet users are complaining more about net neutrality-related issues since the FCC voted to repeal the existing net neutrality rules earlier this month, according to the FCC's consumer complaint data. The FCC allows consumers to submit complaints about a variety of telecom-related problems, from receiving unwanted phone calls to billing fraud. After adopting net neutrality rules in 2015, the FCC added net neutrality to the list of possible gripes, such as slowed-down internet service or content being blocked. The FCC can use those complaints to spot trends or even launch investigations. According to the data (via the FCC's Consumer Complaint Center), people appear to file more net neutrality complaints when the topic is in the news and people are paying more attention to their internet performance.
Opera

Opera 50 Web Browser Will Offer Anti-Bitcoin Cryptocurrency Mining Feature (betanews.com) 76

BrianFagioli writes: The upcoming version 50 of the Opera web browser will offer an integrated anti-Bitcoin mining feature. Besides Bitcoin, it will also block the mining of other cryptocurrencies such as Litecoin and Ethereum. If you aren't aware, some websites are hijacking user computers to mine for cryptocurrencies. This is not only a potential violation of trust, but it can negatively impact the computer's performance too. Mining is also a huge waste of electricity. Opera 50 will offer an optional setting that, when enabled, blocks this nonsense.

Slashdot Top Deals