• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

News [ZDNet] Researchers discover and abuse new undocumented feature in Intel chipsets

Backdoors, backdoors, and more backdoors, in the Evil Empire's chips. Is anyone really surprised? Does the emperor know he needs a new wardrobe?

Nintendo started as a playing-card company, that moved into electronics and video games. Maybe Intel will be a computer chip company, that moves into making playing cards instead. 'cause they're not so great at creating chips, apparently, with any sort of usable security.

Or perhaps they should move their base of operations to Wisconsin, and start making Swiss Cheese. Something that they're already good at.
 
VirtualLarry said:
Backdoors, backdoors, and more backdoors, in the Evil Empire's chips. Is anyone really surprised? Does the emperor know he needs a new wardrobe?

Nintendo started as a playing-card company, that moved into electronics and video games. Maybe Intel will be a computer chip company, that moves into making playing cards instead. 'cause they're not so great at creating chips, apparently, with any sort of usable security.

Or perhaps they should move their base of operations to Wisconsin, and start making Swiss Cheese. Something that they're already good at.
Click to expand...


I wouldn't be the least bit surprised to find out that the U.S. government required all these backdoors and security vulnerabilities. The past couple years certainly haven't been good for Intel. It's been a great opportunity for AMD to catch up which in turn is great for us all. Hopefully both AMD and Intel will double down on security and we'll have both competition and secure devices.
 
Last edited:
This quote is from the researcher:
As Ermolov said yesterday, VISA is not a vulnerability in Intel chipsets, but just another way in which a useful feature could be abused and turned against users.
Click to expand...

Mere 10 years ago such problems weren't even considered. For Spectre and Meltdown a google report said disabling it altogether might be the only safe choice.

There was another report that said the biggest reason for security breaches and customer information loss is due to employees of the company themselves.

The problem is the combination of fast decline in trust and over abundant reliance on computers. Total security is impossible. It requires the designers be paranoid from the concept stage to production. Seems to be just a step away from the dystopian future where absolutely everyone is seen as a criminal and an enemy.

The real losers are always the people trying to live in a lawful, honest way.
 
Requires physical access. It might be bad for people who run highly-sensitive, air-gapped networks that are under attack from physical intrusion. Or maybe an infected USB could carry out an attack. Spectre and Meltdown were much worse.
 
This is very similar to those AMD exploits that needed physical access and flashing with evil firmware, meh. At least no one is blaming the source of the information this time.
 
DrMrLordX said:
Requires physical access. It might be bad for people who run highly-sensitive, air-gapped networks that are under attack from physical intrusion. Or maybe an infected USB could carry out an attack. Spectre and Meltdown were much worse.
Click to expand...

If you truly care about security never ever ever EVER plug your androde telephone into your computer, whether it is to recharge or the convenience of uploading photos.

A compromised androde or iphone in the USB does count as physical access. And you can pretty much count on the possibility that it is infected (acorn socs are one of the lousiest for security, and they don't get patched or maintained as much as x86).. Heck the old ARM 2 cpus were bullet proof and secure, which is not something you can say for modern day ARM socs; I pine for these days: https://www.theinquirer.net/inquirer/news/3064969/acorn-computers-risc-os-finally-goes-open-source
 
Last edited:
Shivansps said:
This is very similar to those AMD exploits that needed physical access and flashing with evil firmware, meh. At least no one is blaming the source of the information this time.
Click to expand...

The difference is with the AMD exploit:

- The researchers decided to tell the world about the exploit before giving AMD any real time to even investigate their claims let alone come up with fixes. This is very much against industry standards.
- Tried to make the exploit seem far more serious that it was in the wake of the Spectre reveal.
- Claimed at least certain attack points were unfixable or would take a very long time (AMD had fixes out pretty quick in the end).
- Tried to use it to promote their startup.

Because of these reasons, people started to question who they were and their motivation. I think the first point was probably the biggest issue.
 
Hitman928 said:
The difference is with the AMD exploit:

- The researchers decided to tell the world about the exploit before giving AMD any real time to even investigate their claims let alone come up with fixes. This is very much against industry standards.
- Tried to make the exploit seem far more serious that it was in the wake of the Spectre reveal.
- Claimed at least certain attack points were unfixable or would take a very long time (AMD had fixes out pretty quick in the end).
- Tried to use it to promote their startup.

Because of these reasons, people started to question who they were and their motivation. I think the first point was probably the biggest issue.
Click to expand...

the first point was the only real issue (and with a good reason, as you said is against industry standards), the others were not know or just expeculations at that time. The general reaction to that "security problem" in the public was not normal and beyond anything i seen in my life, to the point there was people saying that was all a lie and went as far as to search for the stock photos they used with the green screen, that was too much.

Anyway, i said the same back in that day and im going to say the same again now, to me anything that needs physical access for wharever reason, and even worse, firmware flashing, is not a security leak(Specially in a world with daily side channel exploits.), there is a tons of things i can do with physical access, specially if i can bring the system down for firmware flashing.
 
Last edited:
Shivansps said:
the first point was the only real issue (and with a good reason, as you said is against industry standards), the others were not know or just expeculations at that time. The general reaction to that "security problem" in the public was not normal and beyond anything i seen in my life, to the point there was people saying that was all a lie and went as far as to search for the stock photos they used with the green screen, that was too much.

Anyway, i said the same back in that day and im going to say the same again now, to me anything that needs physical access for wharever reason, and even worse, firmware flashing, is not a security leak(Specially in a world with daily side channel exploits.), there is a tons of things i can do with physical access, specially if i can bring the system down for firmware flashing.
Click to expand...
Please don't try to validate the 'company' that tried that stunt. It's very disingenuous to attack the response to their 'operation'.
 
Shivansps said:
Anyway, i said the same back in that day and im going to say the same again now, to me anything that needs physical access for wharever reason, and even worse, firmware flashing, is not a security leak(Specially in a world with daily side channel exploits.), there is a tons of things i can do with physical access, specially if i can bring the system down for firmware flashing.
Click to expand...

I agree that the exploit reveal itself isn't a big deal given that it's already patched and requires physical access, but I think the more interesting part is that it was discovered in a completely undocumented part of the chip.
 
DrMrLordX said:
Requires physical access. It might be bad for people who run highly-sensitive, air-gapped networks that are under attack from physical intrusion. Or maybe an infected USB could carry out an attack. Spectre and Meltdown were much worse.
Click to expand...

Agree. It at best a theoretical issue affecting large data centers and nation states but not us average Joe. Also psyhcial access is a huge part of IT security (which often gets neglected).
 
Hitman928 said:
The difference is with the AMD exploit:

- The researchers decided to tell the world about the exploit before giving AMD any real time to even investigate their claims let alone come up with fixes. This is very much against industry standards.
- Tried to make the exploit seem far more serious that it was in the wake of the Spectre reveal.
- Claimed at least certain attack points were unfixable or would take a very long time (AMD had fixes out pretty quick in the end).
- Tried to use it to promote their startup.

Because of these reasons, people started to question who they were and their motivation. I think the first point was probably the biggest issue.
Click to expand...

I'm kind of wondering if the VISA exploits will ever be fixable (in existing hardware). AMD's problems, as you stated, could be patched.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top