Intel has put us all at risk

If you have been following the news you surely have been reading about Spectr and Meltdown a huge vulnerability in the Intel chipset. Not only are Intel chips vulnerable but also chips used in Apple and AMD products as well.

As you can see nearly every processor is vulnerable to this attack vector

In short this processor flaw has existed for nearly 20 years. Surely Intel and AMD were aware of the issue but have chosen to keep quiet about it. To date all of the fixes rolled out have been met with one of two major effects:

  • Either the fix completely slows the workstation or server to a crawl in performance

  • The fix completely stopped the systems from booting (Ubuntu, Debian and some others)

Intel's first response to the Meltdown and Spectre rumors was an angry blog post that provided few details and claimed "Performance impacts are workload-dependent" and that the fixes should not be sufficient to the average user. The biggest issue with this stance is that some of us in the data science arena (such as Jigsaw Security) rely on processor performance to stay ahead of attacks (farther causing delays in data processing that will cause security issues because we can't process things as fast as the before fix state). In fact our Ubuntu machines had to be reverted back to a kernel version with the fix that still allowed our systems to boot. We have not noticed any slow downs with this version but we suspect when new kernels are released and we have had time to benchmark our systems again that it will be evident.

Intel has since reported that there is a significant performance impact in loading the fix. In short the problem is that this is a hardware issue that these companies are trying to fix with a software fix. This will work temporarily, but the long term impacts will be that as soon as they patch one vector, other attack vectors will be found and we start this never ending patching cycle over again. What Intel needs to do is to replace every CPU in every system with hardware that is not vulnerable to this flaw. That would probably bankrupt the company as these chips are in everything from computers to smart TV's to washers and dryers, wireless routers, phones and other devices.

At this point we are highly concerned for the security of our customers even though Intel says that 90% of processor products introduced in the past five years by the end of this week will be patched against the issue (with a performance hit of course).

What we know to date:

  • The problem was a long standing problem that was more than likely being exploited already

  • The fixes are software patches to fix faulty hardware

  • The fixes are causing processors to slow in performance and computational power

  • I/O intensive systems such as cloud and virtualized environments will be especially affected by the slowdown of the processing

  • Some vendors are recommending not installing the patches on high performance computing environments if they do not run untrusted or externally produced code

It is the stance of Jigsaw Security that we do not have a choice but to patch based on our compliance requirements of DoD and NIST recommendations. Not patching could cause our facilities to fail inspections and that is simply not an option. Patching may cause performance issues that may cause our existing products impact without significant upgrades of hardware to chipsets that are not vulnerable to the flaw. We know that Intel says they were aware of the issue since June of 2017 and it appears as though they may have not expected the issue to be released publicly so they had to scramble to address the issue.

Testing for the Flaw

Those customers running Unix based systems can use the script we have posted to our Github from Stephane Lesimple which test for a variety of conditions.

Github Repo

Windows based users do not have an easy way to test for the flaw and may want to refer to this additional information of interest. In short this is a major issue that will be with us for some time until new chips come out and everybody upgrades. Several lawsuits have already sprung up and we fully expect more as time goes forward.

#Spectre #Intel #AMD #Meltdown #Alert


Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2018 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business Jigsaw Security is an operator of WIMAX networks and is operating under license WQVC235 as a common carrier, non-common carrier and private communications operator. Jigsaw Security operates cable and satellite services. Courses may be provided by a third party authorized training partner in some cases. Some training is only available for cleared and US Citizens. Courses approved by the North Carolina Department of Public Safety Private Protective Services Board for licensing and CE credits. JPM program insurance is provided by an authorized Jigsaw Security Insurance Partner and is not underwritten by Jigsaw Security. For insurance information please contact our JPM program manager. Jigsaw Security operates a network through our NCBroadband brand.