Those „40 %“ for Macs corresponds to disabled HT, too. ("Hyperthreading improves performance for certain workloads by 30 % to 40 %" see chapter 7)
VUSec's Giuffrida notes that his team was paid $100,000 by Intel for their work as part of the company's "bug bounty" program that rewards researchers who warn the company about critical flaws. That's hardly the kind of money paid out for trivial issues, he points out. But he also says that Intel at one point offered VUSec only a $40,000 bug bounty, accompanied by a $80,000 "gift"—which Giuffrida saw as an attempt to reduce the bounty amount cited publicly and thus the perceived severity of the MDS flaws. VUSec refused the offer of more total money in favor of a bounty that better reflected the severity of its findings, and it threatened to opt out of a bug bounty in protest. Intel changed its offer to the full $100,000.
"It's clear what Intel is doing," says Giufrrida. "It's in their interest to say, 'No, after Spectre and Meltdown, we didn't overlook other vulnerabilities; it's just that these were so minor that they slipped by.'" In a call with WIRED, Intel denied trying to manipulate the perceived size of the bounty.
Another aspect to Zen 2 is AMD’s approach to heightened security requirements of modern processors. As has been reported, a good number of the recent array of side channel exploits do not affect AMD processors, primarily because of how AMD manages its TLB buffers that have always required additional security checks before most of this became an issue. Nonetheless, for the issues to which AMD is vulnerable, it has implemented a full hardware-based security platform for them.
The change here comes for the Speculative Store Bypass, known as Spectre v4, which AMD now has additional hardware to work in conjunction with the OS or virtual memory managers such as hypervisors in order to control. AMD doesn’t expect any performance change from these updates. Newer issues such as Foreshadow and Zombieload do not affect AMD processors.
I thought elliptic crypto stuff was fake 'security' the CIA had Cisco push into 'potential enemy' countries?
I thought elliptic crypto stuff was fake 'security' the CIA had Cisco push into 'potential enemy' countries?
Ah, looks like thats the one I'm thinking ofthe infamous Dual_EC_DRBG
Why don't you just give us your email passwords as well?Try disabling both meltdown and specter mitigation via inspecter app.
Why don't you just give us your email passwords as well?
There are two scenarios for these side channel attacks: the first one is for those virtual machines from cloud providers. This is actually a huge problem for them because people used to believe that by using a virtual machine it's safe to share a physical machine with unknown people. This could make dedicated machines more popular but the thing is that large companies are already using them and small companies can't really afford them.
For desktop users, the problem is quite different, as most people don't really run untrusted codes frequently, except (and this is a huge except) for those pesky Javascript codes from random websites. This is really a difficult problem because people are expecting to have good Javascript performance, so anything that causes a serious performance downgrade is not really acceptable. On the other hand, Javascript is kind of easier to secure because the VM actually has the source code. And no, disabling Javascript is not a realistic solution, at least for most people.