So a nonexistent 5nm is better than a nonexistent 1nm. Solid. Is everything that came after Skylake "fake" because they're basically all 14nm Skylake parts?
You beat me to it. Steal the IP of a company so bad that every quarter's earnings release includes a "list" of delays to future products. Someone's going to sift through that trove and say "this is all garbage!" Seriously would anyone be shocked?
If you had paid attention, the bottleneck was clearly the 10nm process. They were not able to get the newest architectures as products (cannonlake, icelake, tigerlake). you can clearly see icelake ipc is much better than Zen2. They are not able to get the clocks in 10nm.
This breach may have a knock on impact on Intel's security going forward. With their procesors already suffering from serious security issues over the years, this is just going to compound on their security woes.
I hate to say it, but this is great for PC hardware news outlets, even those that generally avoid rumors like Anandtech. Analysis, ramifications and further leaks will drip out for months.
No, because it would take centuries to exfiltrate 20GB of data using currently available hypeclown exploits. I really wish the media would stop blowing this shit out of proportion and more importantly, I *REALLY* wish vendors would have an option to disable all these bullshit mitigations for impossible scenarios because it doesn't and never will affect normal single user computers.
That is exactly how not to approach security. Leave a "impossible scenario" unpatched, and it'll show up in a long exploit chain somewhere in the future.
Ahhhh, the old "hey, we're all friendly here! Nobody cares about your data so it's OK even if you get hacked!" routine.
Have you ever been on the internet? Do you think it is such a friendly place? Then by all means, please disable all multi-factor authentication on your primary email account and drop your username & password here. AT comment-sections are probably one of the most friendly places on the internet, and hey, nobody is interested in your emails to your mom. You're perfectly safe, no need to wear a "tinfoil hat" here. You can show us all about it through your own example, big boy.
Sorry to say, but that's complete nonsense. Firstly, the Intel security mitigations are absolutely necessary for "single user computers" because modern "single user computers" happen to run software which comes from the internet and other sources. The issues break isolation at the hardware level, and you don't need to have a multi-user computer to have security-relevant isolation between processes.
Secondly, nobody is going to exfiltrate data purely through attacks that target Intel's security issues - that would be grossly inefficient. Any attacker is going to use the Intel security issue to gain more access to the system, and once they have a sufficient level of access, they can use it to efficiently exfiltrate any amount of data that they'd like.
It's probably good to have the mitigations available for front end systems, but there are many back end cases where performance would be preferable to the marginal increase in security.
Again, nobody cares. "happen to run software". Yeah, I know exactly what software is running and why. Nobody, and I mean absolutely NOBODY cares about your shitty desktop PC. But now you have to deal with retarded mitigations that make already lazily written shitty software even shittier.
A "virus" in 2020 is a retarded .exe made with python2exe attached to email with a "omg click me to win 20,000,000 GBP", its pretty damn obvious what it's going to do if executed.
> through attacks that target Intel's security issues - that would be grossly inefficient We all know this data was just some shit leftover in a file share. Also most of it is just useless rubbish anyway.
It is 1000000000% easier to social engineer access, obtain physical access by breaking a window, obtain physical access by beating up a guy leaving some office and grabbing his keycard, etc.
I bet you fucking run several copies of AV software which is why you need 32core AMD shitheap to compute, cuz 30 of them are busy scanning every fucking text file you open for "viruses".
Since my doctorate is in the field of information security, I have to say that this made me laugh - and also cry a bit, because it is exactly this attitude that actively prevents OS vendors from allowing users full control over their machines. The classic case-in-point is Sasser, a worm for which the patch had been issued over 2 weeks earlier, but which many admins and ordinary users had decided not to apply (or not yet decided to apply - the effects were the same). The resulting carnage downed critical organizations for hours or days.
Sasser does not stand alone, of course. Decades of experience have taught us that users strongly believe that they know enough about risk and infosec to make good choices, and also that they are most often grossly mistaken. We live in a world filled with zombie botnets because of this. Nor does more education rectify the problem: study after study shows that despite strong security messaging, many users will give up their passwords for something as trivial as a candy-bar. Users also fail to realize the subtlety of the risks that they are faced with on the internet, and this is why browser manufacturers have had to essentially create mini-OSes with sandboxing to keep users safe from their poor choices (and even then, users find ways to screw themselves over). Unless you have at least 2-4 years of deep experience with infosec, it's difficult to properly comprehend the modern risk landscape, and it's very easy to make poor decisions through ignorance alone. There are few users who will immerse themselves in the field to that extent, which means that it really is up to vendors, at a practical and pragmatic level.
Your response joins a long line of arrogant user statements that claim, despite all observable facts, to know better than trained infosec professionals. Congratulations, I suppose? And please understand that you (and people like you) are the reason that we cannot have some very nice things, such as developer access to ring-0. You are the reason that OS vendors HAVE to apply Intel's mitigations whether you like them or not, because they simply cannot trust you to make reasonable and informed decisions.
I fully understand that this response will not change your mind one whit and research shows that, if anything, you will become even more adamant that you are right. That's OK; I'm not writing it for you. I'm writing it for other people who may run across it because research also shows that if you don't have your ego on the line, you actually can learn a lot from the experts.
I wish you the best of luck on the internet, timecop1818. You'll certainly need it.
Isn't Intel responsible for writing the code for those mitigations? Does that not imply the problem in the performance decrease is caused by Intel? How does that fit into your view of the company and your loyalties if you despise it for poor performance? That seems conflict with your established brand loyalties.
Defaults ALWAYS matter. If you, as a developer, expect 100% of your users to NOT be idiots (and understand all of the complexities of your solution), then YOU are the bigger idiot. UX 101.
The problem is nobody who deserves the boot is getting it. Everyone who has recently left will happily make a successful living elsewhere. The rats are steering the ship.
State capitalism a-la Soviet Russia / China is not equal to communism, but tbh I don't really care, because I don't see how to produce the latter without it degenerating into the former and - more crucially - this was just a comment on how the imperviousness of executives really sucks.
Did we all collectively time-travel back to the 1950s? Why is is that the most popular response to pointing out manifest issues with our current variant of global capitalism is, once again, "but muh communism"?
Do the data include Intel's real supply situation and fab availability? Or information on what went wrong and is still going wrong with their 10 nm and 7 nm process? That would be interesting to know!
So, unlike Assange, this Kottmann isn’t going to be put into a glass cage in a courtroom after being put on house arrest for how many years in a random embassy?
And Greenwald is apparently sitting on 95% of the Snowden archive while claiming that the only people interested in its contents are lunatic fringe. I’m not seeing much symmetry between these three examples.
WHERE IS THE QUALCOMM VULNERABILITY NEWS? When Intel has the tiniest vulnerability, the press is booming. In 5 minutes every single hardware outlet is putting that news up front, first page, boom. When new vulnerabilities that affect ARM, AMD, IBM CPUs also appear, nothing. Absolutely nothing. I guess that is not interesting enough for you. Shame on you.
It is interesting that Anandtech does not report on major vulnerabilities. Ripple20, for instance, never made it on AT's radar and the Qualcomm matter appears as though it too will slip past them.
To be fair, Anandtech is not an information security site and does not have the staffing or expertise to understand cybersecurity at more than a superficial level so perhaps that is best left to those with more specialized experience and AT should continue to republish press releases covering gaming motherboards, video cards, and the most recent new goo-gaw phone without regard for information security.
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
79 Comments
Back to Article
Arbie - Thursday, August 6, 2020 - link
It would be quite a cheap shot to ask who wants Intel IP these days, so I won't.shabby - Thursday, August 6, 2020 - link
Tsmc wants that magical 10nm recipe 🤭willis936 - Thursday, August 6, 2020 - link
You should let Intel know when you find it.FXi - Thursday, August 6, 2020 - link
So does Intel so they'll be happy if you find what they could not.Spunjji - Friday, August 7, 2020 - link
😆regsEx - Friday, August 7, 2020 - link
TSMC might want Intel's 5 nm which is in development and would be a competitor to TSMC fake 1 nm.close - Friday, August 7, 2020 - link
So a nonexistent 5nm is better than a nonexistent 1nm. Solid. Is everything that came after Skylake "fake" because they're basically all 14nm Skylake parts?Spunjji - Friday, August 7, 2020 - link
Intel "5nm" would compete with TSMC "3nm", but do go off 😄dotjaz - Friday, August 7, 2020 - link
Bahahahahaha, Intel's 10nm is "in-production". Now we are talking 5nm. So realistic.Zingam - Saturday, August 8, 2020 - link
Huawei wantz itgloppppp - Sunday, August 9, 2020 - link
Bingo!!!!!sonny73n - Tuesday, August 11, 2020 - link
BS Zingam. Nobody wants that outdated 14nm from Intel. Huawei can produce 12nm on their own.FXi - Thursday, August 6, 2020 - link
You beat me to it. Steal the IP of a company so bad that every quarter's earnings release includes a "list" of delays to future products. Someone's going to sift through that trove and say "this is all garbage!" Seriously would anyone be shocked?bhramastra - Thursday, August 6, 2020 - link
Such low effort commentsbhramastra - Thursday, August 6, 2020 - link
You are right, 6 year old Intel IP keeping up with latest AMD products. Who wouldn't want it.loopery - Friday, August 7, 2020 - link
You would think they'd have something else up their sleeves -- it's been 6 years after all -- but they don't, and that's the sad part ;)DigitalFreak - Friday, August 7, 2020 - link
But those marketing templates are gold!Spunjji - Friday, August 7, 2020 - link
That would be a better line they hadn't, you know, been *very obviously trying and failing* to release newer IP across their product range. 😏dotjaz - Friday, August 7, 2020 - link
They spent 6 years without improvement even going backwards to fix security issues after security issues. I bet everybody wants in those holes.bhramastra - Friday, August 7, 2020 - link
If you had paid attention, the bottleneck was clearly the 10nm process. They were not able to get the newest architectures as products (cannonlake, icelake, tigerlake). you can clearly see icelake ipc is much better than Zen2. They are not able to get the clocks in 10nm.Chaitanya - Friday, August 7, 2020 - link
Chinese would buy it.danjw - Friday, August 7, 2020 - link
Well for current products, just about any CPU company. Why not? See what the competition is up to.dotjaz - Friday, August 7, 2020 - link
YEARS AGO?Zingam - Saturday, August 8, 2020 - link
Iz Intel an American company or iz it an Israeli-Indian one?Oh, they were so proud by their Israeli division (MOSAD-approved) that developed these Core CPUs weren't they :)
Spunjji - Tuesday, August 11, 2020 - link
Love too cross the boundaries from critique of Israel to antisemitic dog-whistles. No, Israel does not run Intel.peevee - Tuesday, August 11, 2020 - link
Not very secret IP if it has been shared with customers.zamroni - Thursday, August 6, 2020 - link
It seems the administrators forgot to install patchesikjadoon - Thursday, August 6, 2020 - link
>Otherwise, in a bit of situational irony, this leak is likely to cast doubt upon all future Intel leaks.A death knell for many a YouTube channel. Goodbye, AdSense payments...
alumine - Thursday, August 6, 2020 - link
So...Did someone manage to get an intel on Intel's Intellectual property?
watzupken - Thursday, August 6, 2020 - link
This breach may have a knock on impact on Intel's security going forward. With their procesors already suffering from serious security issues over the years, this is just going to compound on their security woes.willis936 - Thursday, August 6, 2020 - link
The first step they could take is to not use Intel123 to protect 20 years worth of encrypted archives.PeachNCream - Friday, August 7, 2020 - link
Bob Swan - "One, two, three, four, five? That's amazing! I've got the same password on my Resource and Design Center!"DigitalFreak - Friday, August 7, 2020 - link
I heard it was AMDsucksFXi - Thursday, August 6, 2020 - link
Rats I thought the pw was "alltheLakes"tygrus - Thursday, August 6, 2020 - link
New slogan "Intel outside"brucethemoose - Thursday, August 6, 2020 - link
I hate to say it, but this is great for PC hardware news outlets, even those that generally avoid rumors like Anandtech. Analysis, ramifications and further leaks will drip out for months.yeeeeman - Friday, August 7, 2020 - link
This is not even a rumour. You can go and browse the files yourself, you have even tigerlake related files.nandnandnand - Friday, August 7, 2020 - link
How detailed are the "roadmaps"? Those alone could be very interesting, and Intel is already publicly talking about 1.4nm in 2029.Nozuka - Friday, August 7, 2020 - link
Ooopsie. Wouldn't it be ironic, if something like Spectre/Meltdown was the cause of this breach.timecop1818 - Friday, August 7, 2020 - link
No, because it would take centuries to exfiltrate 20GB of data using currently available hypeclown exploits. I really wish the media would stop blowing this shit out of proportion and more importantly, I *REALLY* wish vendors would have an option to disable all these bullshit mitigations for impossible scenarios because it doesn't and never will affect normal single user computers.brucethemoose - Friday, August 7, 2020 - link
That is exactly how not to approach security. Leave a "impossible scenario" unpatched, and it'll show up in a long exploit chain somewhere in the future.timecop1818 - Friday, August 7, 2020 - link
Nobody cares about all the porn on your desktop. Not even yourself. Drop your tinfoil hat.Carmen00 - Friday, August 7, 2020 - link
Ahhhh, the old "hey, we're all friendly here! Nobody cares about your data so it's OK even if you get hacked!" routine.Have you ever been on the internet? Do you think it is such a friendly place? Then by all means, please disable all multi-factor authentication on your primary email account and drop your username & password here. AT comment-sections are probably one of the most friendly places on the internet, and hey, nobody is interested in your emails to your mom. You're perfectly safe, no need to wear a "tinfoil hat" here. You can show us all about it through your own example, big boy.
Spunjji - Friday, August 7, 2020 - link
How dare you imply that timcarp182 is not a supergenius pragmatic expert in the cyberMakaveli - Friday, August 7, 2020 - link
lol Timcops1818 views are outdated and ridiculous thanks for the laugh.Carmen00 - Friday, August 7, 2020 - link
Sorry to say, but that's complete nonsense. Firstly, the Intel security mitigations are absolutely necessary for "single user computers" because modern "single user computers" happen to run software which comes from the internet and other sources. The issues break isolation at the hardware level, and you don't need to have a multi-user computer to have security-relevant isolation between processes.Secondly, nobody is going to exfiltrate data purely through attacks that target Intel's security issues - that would be grossly inefficient. Any attacker is going to use the Intel security issue to gain more access to the system, and once they have a sufficient level of access, they can use it to efficiently exfiltrate any amount of data that they'd like.
voicequal - Friday, August 7, 2020 - link
It's probably good to have the mitigations available for front end systems, but there are many back end cases where performance would be preferable to the marginal increase in security.timecop1818 - Saturday, August 8, 2020 - link
Again, nobody cares. "happen to run software". Yeah, I know exactly what software is running and why. Nobody, and I mean absolutely NOBODY cares about your shitty desktop PC. But now you have to deal with retarded mitigations that make already lazily written shitty software even shittier.A "virus" in 2020 is a retarded .exe made with python2exe attached to email with a "omg click me to win 20,000,000 GBP", its pretty damn obvious what it's going to do if executed.
> through attacks that target Intel's security issues - that would be grossly inefficient
We all know this data was just some shit leftover in a file share. Also most of it is just useless rubbish anyway.
It is 1000000000% easier to social engineer access, obtain physical access by breaking a window, obtain physical access by beating up a guy leaving some office and grabbing his keycard, etc.
I bet you fucking run several copies of AV software which is why you need 32core AMD shitheap to compute, cuz 30 of them are busy scanning every fucking text file you open for "viruses".
Carmen00 - Monday, August 10, 2020 - link
Since my doctorate is in the field of information security, I have to say that this made me laugh - and also cry a bit, because it is exactly this attitude that actively prevents OS vendors from allowing users full control over their machines. The classic case-in-point is Sasser, a worm for which the patch had been issued over 2 weeks earlier, but which many admins and ordinary users had decided not to apply (or not yet decided to apply - the effects were the same). The resulting carnage downed critical organizations for hours or days.Sasser does not stand alone, of course. Decades of experience have taught us that users strongly believe that they know enough about risk and infosec to make good choices, and also that they are most often grossly mistaken. We live in a world filled with zombie botnets because of this. Nor does more education rectify the problem: study after study shows that despite strong security messaging, many users will give up their passwords for something as trivial as a candy-bar. Users also fail to realize the subtlety of the risks that they are faced with on the internet, and this is why browser manufacturers have had to essentially create mini-OSes with sandboxing to keep users safe from their poor choices (and even then, users find ways to screw themselves over). Unless you have at least 2-4 years of deep experience with infosec, it's difficult to properly comprehend the modern risk landscape, and it's very easy to make poor decisions through ignorance alone. There are few users who will immerse themselves in the field to that extent, which means that it really is up to vendors, at a practical and pragmatic level.
Your response joins a long line of arrogant user statements that claim, despite all observable facts, to know better than trained infosec professionals. Congratulations, I suppose? And please understand that you (and people like you) are the reason that we cannot have some very nice things, such as developer access to ring-0. You are the reason that OS vendors HAVE to apply Intel's mitigations whether you like them or not, because they simply cannot trust you to make reasonable and informed decisions.
I fully understand that this response will not change your mind one whit and research shows that, if anything, you will become even more adamant that you are right. That's OK; I'm not writing it for you. I'm writing it for other people who may run across it because research also shows that if you don't have your ego on the line, you actually can learn a lot from the experts.
I wish you the best of luck on the internet, timecop1818. You'll certainly need it.
K_Space - Tuesday, August 11, 2020 - link
Thanks Carmen00; comments like these makes AT worth it... and timecop1818 for the laughs :PSpunjji - Tuesday, August 11, 2020 - link
Savage. Flawless victory and a genuinely useful response for other readers, too. Thanks Carmen00.Spunjji - Tuesday, August 11, 2020 - link
Cool cool. An assortment of slurs, grossly overstated pompous claims about security and then the creation of an elaborate strawman to beat on.If physical access is sO mUcH eAsIeR then why is my organisation under constant threat of IT attacks but hasn't had a break-in in years? 🤔
PeachNCream - Tuesday, August 11, 2020 - link
"...retarded mitigations..."Isn't Intel responsible for writing the code for those mitigations? Does that not imply the problem in the performance decrease is caused by Intel? How does that fit into your view of the company and your loyalties if you despise it for poor performance? That seems conflict with your established brand loyalties.
ZoZo - Friday, August 7, 2020 - link
You don't need to exfiltrate 20GB, only a few bytes for the password.Spunjji - Friday, August 7, 2020 - link
It's sweet that you think they would exfiltrate the data when, in reality, they would just exfiltrate information that gives them access to that data.It's almost like you have no real idea how any of this works! 🤔
peevee - Tuesday, August 11, 2020 - link
All you need is getting the password out, just a few bytes.brucethemoose - Friday, August 7, 2020 - link
On the contrary, it looks like yet another public, unsecured server that someone stumbled upon.Misconfigured cloud instances are the gift that just keeps on giving.
Krysto - Monday, August 10, 2020 - link
And it somehow only happens on Amazon's cloud.Wait, I think I'm seeing a pattern here...
Defaults ALWAYS matter. If you, as a developer, expect 100% of your users to NOT be idiots (and understand all of the complexities of your solution), then YOU are the bigger idiot. UX 101.
Lord of the Bored - Friday, August 7, 2020 - link
I petition to rename this article"Intel's Chief of Cybersecurity and the Terrible, Horrible, No-Good, Very Bad Day."
FakThisShttyGame - Friday, August 7, 2020 - link
Is it only me that it’s kind of coincide with their recent management changesValantar - Friday, August 7, 2020 - link
It would be downright hilarious if this was posted by a pissed-off executive after getting the boot. Though I sincerely doubt that to be the case.willis936 - Friday, August 7, 2020 - link
The problem is nobody who deserves the boot is getting it. Everyone who has recently left will happily make a successful living elsewhere. The rats are steering the ship.PeachNCream - Friday, August 7, 2020 - link
In all fairness, they are letting Murthy Renduchintala go.Spunjji - Friday, August 7, 2020 - link
Even if the rats left, they'd still happily make a living elsewhere. That's the Joy of Corporatism!Luminar - Friday, August 7, 2020 - link
Okay, let's just switch from corporatism to communism.Oxford Guy - Friday, August 7, 2020 - link
Switch? It’s the same thing with different labeling.Spunjji - Tuesday, August 11, 2020 - link
State capitalism a-la Soviet Russia / China is not equal to communism, but tbh I don't really care, because I don't see how to produce the latter without it degenerating into the former and - more crucially - this was just a comment on how the imperviousness of executives really sucks.Spunjji - Tuesday, August 11, 2020 - link
Did we all collectively time-travel back to the 1950s? Why is is that the most popular response to pointing out manifest issues with our current variant of global capitalism is, once again, "but muh communism"?I'm not a communist, but you seem like a jackass.
eastcoast_pete - Friday, August 7, 2020 - link
Do the data include Intel's real supply situation and fab availability? Or information on what went wrong and is still going wrong with their 10 nm and 7 nm process? That would be interesting to know!peevee - Tuesday, August 11, 2020 - link
Extremely interesting!Somebody has 20GB of reading to do.
Oxford Guy - Friday, August 7, 2020 - link
So, unlike Assange, this Kottmann isn’t going to be put into a glass cage in a courtroom after being put on house arrest for how many years in a random embassy?Oxford Guy - Friday, August 7, 2020 - link
And Greenwald is apparently sitting on 95% of the Snowden archive while claiming that the only people interested in its contents are lunatic fringe. I’m not seeing much symmetry between these three examples.Spunjji - Tuesday, August 11, 2020 - link
🙄yeeeeman - Monday, August 10, 2020 - link
WHERE IS THE QUALCOMM VULNERABILITY NEWS?When Intel has the tiniest vulnerability, the press is booming. In 5 minutes every single hardware outlet is putting that news up front, first page, boom.
When new vulnerabilities that affect ARM, AMD, IBM CPUs also appear, nothing. Absolutely nothing.
I guess that is not interesting enough for you.
Shame on you.
Spunjji - Tuesday, August 11, 2020 - link
I'm seeing news about it all over the place - mostly mainstream news sites rather than tech, though.PeachNCream - Tuesday, August 11, 2020 - link
It is interesting that Anandtech does not report on major vulnerabilities. Ripple20, for instance, never made it on AT's radar and the Qualcomm matter appears as though it too will slip past them.To be fair, Anandtech is not an information security site and does not have the staffing or expertise to understand cybersecurity at more than a superficial level so perhaps that is best left to those with more specialized experience and AT should continue to republish press releases covering gaming motherboards, video cards, and the most recent new goo-gaw phone without regard for information security.
DigitalFreak - Monday, August 10, 2020 - link
Probably more people interested in it to find exploits than to steal their 14nm++++++++++++++++++++++ secrets.M O B - Tuesday, August 11, 2020 - link
Perhaps a security researcher finally got tired of Intel lying about existing vulnerabilities and that dump includes proof of various half fixes.