"Intel in jeopardy" from insiders. Much much worse than what they tell.

Not just to AMD, but also back to Intel, perhaps more than once as business needs dictate.

While I agree that it's obviously well withing the realm of possibility, it also represents a reduction in operational flexibility that may not be acceptable to an enterprise.

True, every environment is different. I suppose a better argument would be to say that given enough resources, it should be possible to overcome these issues in almost any environment.
 
Yes, no CPU is 100% secure.

Here's an AMD-specific CPU vulnerability:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9836

Here's AMD's own words about a different vulnerability:



This isn't a sporting event, and AMD isn't your favorite team. They are a for-profit company, competing with Intel for your money (and mine).

was that from CTS labs?

you know that was just an attempt to devalue a company

and look how well it worked.

50 dollars a share.
 

As I said earlier, it is my responsibility to ensure that our environment is hardened against discovered security vulnerabilities (and undiscovered, where possible). Software mitigations protect against these vulnerabilities, sometimes this has a non-trivial impact on performance in a given workload, it is up to organizations to find a balance between performance and security. This is a trade-off in every environment with limited resources.

In the case of the vulnerability you've cited, we are protected in at least 1 layer by our O.S. vendor:
https://access.redhat.com/security/cve/CVE-2019-1125\

was that from CTS labs?

you know that was just an attempt to devalue a company

and look how well it worked.

50 dollars a share.

I gave you a link to mitre.org - if you don't know who that is, you shouldn't be having this conversation.
 
As I said earlier, it is my responsibility to ensure that our environment is hardened against discovered security vulnerabilities (and undiscovered, where possible). Software mitigations protect against these vulnerabilities, sometimes this has a non-trivial impact on performance in a given workload, it is up to organizations to find a balance between performance and security. This is a trade-off in every environment with limited resources.

In the case of the vulnerability you've cited, we are protected in at least 1 layer by our O.S. vendor:
https://access.redhat.com/security/cve/CVE-2019-1125\



I gave you a link to mitre.org - if you don't know who that is, you shouldn't be having this conversation.

that attack bypasses mitigations from spectre and meltdown

if you didn't' read it than i don't know what to say

Mitigation
There is no known complete mitigation other than updating the kernel and rebooting the system. This kernel patch builds on existing spectre mitigations from previous updates.

Customers are advised to take a risk-based approach to mitigate this issue. Systems that require high degrees of security and trust should be addressed first and isolated from untrusted systems until treatments can be applied to those systems to reduce the risk of exploit.

Note that based on industry feedback, we are not aware of any known way to exploit this vulnerability on Linux kernel-based systems.

"fixed"

lol enjoy your swiss cheese.
 
that attack bypasses mitigations from spectre and meltdown

if you didn't' read it than i don't know what to say

Our O.S. vendor has protections in place for this specific attack vector per updates provided on September 4th, 2019. The link I provided to redhat's article on this vulnerability shows that in the errata availability matrix on the page. The specific update has been installed in our environment, therefore we are protected against this attack.
 
that attack bypasses mitigations from spectre and meltdown

if you didn't' read it than i don't know what to say



"fixed"

lol enjoy your swiss cheese.

"there is no known complete mitigation other than updating hte kernel and rebooting the system"

This is precisely how server patching works. I very much suspect your knowledge of this subject. Tell me, what do you do, professionally?
 
"there is no known complete mitigation other than updating hte kernel and rebooting the system"

This is precisely how server patching works. I very much suspect your knowledge of this subject. Tell me, what do you do, professionally?

that's how exploits work.

they aren't known till they are known

lmfao

not patching holes in sinking ships that's for sure
 
no CPU?

then why isn't any AMD cpu on those lists?

could it be your own bias?

Or starting splitting your environment increases costs of operation and makes daily task more complicated.
Right now we can move our virtual machines around as we need, no problems.
Introduce AMD servers...and the headaches start.
The business case is simply not there yet.
 
True, every environment is different. I suppose a better argument would be to say that given enough resources, it should be possible to overcome these issues in almost any environment.

It always come down to money...aka a business case...such is enterprise.
 
It is based on ~30 years of experience...going to take a LONG to to rectify that...again, this is not little Jimmy's gaming PC.

But funny that I can tell who works in enterprise and who are a "little Jimmy gamer" based solely on their postings here...

Do you still think Japanese cars are rubbish? Same shit, different story, products can improve.
I have different professional applications to you but some that require ECC and multiple redundancies, AMD or Intel isn't a factor.
 
When in time have we confidently been able to say that security researchers are ahead of hackers? In fact, I dare any of you to spam the intarwebs with your full name and the name of your place of work and say you are unhackable. Good luck with that.
So the real problem with intels many holes are that someone may get to one or more of them before the need for patch is even known, and that it would only be natural to be sceptical to the one vendor we all know are setting up a swiss cheese shop these days.
 
Maybe in years past it was as much (or more) not about AMD and them being unable to keep up to Intel as much as it was about Intel making (or taking that) next gen leap so much so they really didn't have a (working) viable product in none of their 3 (or more) engineering teams (for future product) and simply believed AMD fell so far back there is plenty of time (years) to work things out with the next gen product lines - and Then along came Lisa Su, followed by Ryzen, and now that gen leap that made Intel looks so good for the past few years has come back around to bit Intel - Though it does make a statement (if true as noted below) that the 14nm process has proven so well for Intel that they don't have the talent (next gen product) for 10nm to top it - What are (changes) is Intel going to make? Much like AMD and what they went through, it has taken a few shake ups and changes to product a much needed winning product line. Does Intel recover without making some deep changes, we'll see...
-------

Looks like there's no future for Intel.
Just read :

Looks like Intel would completely lose their market share everywhere without any other hope like GPU. That's no businness at all for 3 years. They may have some hope for 2023 but AMD will be much much more advanced. They may only get to AMD 2021 level in 2023, if everything works well.Not sure about that because they are lying and unable to deliver for years. They may be back in 2025, meaning at best competitive, if all goes well.
After reading this, it looks very real, puts everything together so one can understand what's happening. Means if you have money, don't put it in Intel. Intel is totally overpriced today. Not necessarily look at AMD as a replacement. Look how well Ampere is doing and put it in Nvidia (not for gaming but for the server market and self driving cars), if you feel the need to invest in that business. Also TSMC, Samsung have bright future, not Intel.
Also Apple has a great ARM architecture that may very well go into servers. So this could be the end of life of x86 as a global architecture. Because no competition between AMD and Intel is in no way good even for AMD. There has never been so much technological distance between Intel and AMD than now between AMD and Intel and this distance will grow until 2023 when Intel will at best keep that distance steady.
 
You guys must be busy then, at the current rate, you must be bringing mission critical machine down like what, once every two weeks ?

Who brags about having a job where they play whack a mole more often than not? Your users happy ?

First of all, I'm not bragging, only stating that my job includes duties which grant me ample opportunity to engage in the application of security best practices, primarily at a systems level, though also at the network level from time to time.

Second, your assertions are ludicrous. Maintenance windows occur at fixed intervals during nights and weekends and are announced to end-users well in advance, minimizing impact.

I don't see you or master shake indicating any degree of expertise in this subject, only cheerleading for an IHV as though you have something to gain by it. The discourse from one side of this discussion is rather sophomoric, offering only ad hominem and strawmen.
 
On the original subject matter:

I know Charlie Demerjian both personally and professionally. He's very knowledgeable about this industry and has good sources for the most part, but he does have a tendency to predict doom and gloom, particularly for Intel and Nvidia. Intel just announced record revenue for the most recent quarter. Hardly a company on the decline.

That being said, it is fair to criticize Intel for their mis-steps, and they certainly have committed several in the past few years. Intel needs to address the side channel vulnerabilities and get the manufacturing issues under control, in addition to producing competitive products. I believe they can do this, but I am by no means obligated to purchase their products for either my self, or the organization for which I work. When it comes time to purchase new ESX hosts I will carefully evaluate the performance, security, price, scalability/upgradability, ram density per socket, core density per node, power consumption, and TCO of the x86 server platforms available at the time, and make my recommendation to our technology director accordingly. I truly hope AMD and their OEM partners are able to deliver a product that earns a purchase from my organization because if the competitive environment looks then as it does now, AMD definitely has the superior solution in all the aforementioned areas.

If some of you could stop cheerleading (and accusing) for a minute and try to have a civil, intelligent conversation, even asking questions instead of hurling insults, you just might learn something.
 
First of all, I'm not bragging, only stating that my job includes duties which grant me ample opportunity to engage in the application of security best practices, primarily at a systems level, though also at the network level from time to time.

Second, your assertions are ludicrous. Maintenance windows occur at fixed intervals during nights and weekends and are announced to end-users well in advance, minimizing impact.

I don't see you or master shake indicating any degree of expertise in this subject, only cheerleading for an IHV as though you have something to gain by it. The discourse from one side of this discussion is rather sophomoric, offering only ad hominem and strawmen.

Well obviously you aren't supporting anything important since 24/7 uptime doesn't really mean anything to you.

How fixed are the intervals when new flaws are being reported all the time? You wait for your maintenance window to apply important mitigations. Sounds like a serious operation you've got there
 
Well obviously you aren't supporting anything important since 24/7 uptime doesn't really mean anything to you.

How fixed are the intervals when new flaws are being reported all the time? You wait for your maintenance window to apply important mitigations. Sounds like a serious operation you've got there

What do you do you for a living? Your assessment appears to be spoken from a place of ignorance to the realities of daily operations of an I.T. department, let alone ITIL standards.

If you think that mission-critical systems can be brought offline at a moment's notice every time a new patch is released, you don't have a clue how the world of enterprise I.T. works. Did you even think about the fact that patches are often released, break something critical, and are retracted without hours or minutes of release?
 
What do you do you for a living? Your assessment appears to be spoken from a place of ignorance to the realities of daily operations of an I.T. department, let alone ITIL standards.

If you think that mission-critical systems can be brought offline at a moment's notice every time a new patch is released, you don't have a clue how the world of enterprise I.T. works. Did you even think about the fact that patches are often released, break something critical, and are retracted without hours or minutes of release?

Sorry but we're talking patches for hardware flaws, 0 days, stuff like that, not MS office updates

I come from a place where uptime is crucial for business. If I have to take servers offline more often than what a user believes is necessary, that's a problem. Again, not talking about updates to a word processor. More like the tools and systems required to forecast liquidity for major financial institutions, for example. Compliance requirements can't wait until after the maintenance window unfortunately

Long story short, if I'm a user and I depend on infrastructure that isnt reliable because it's being brought down every other week for patching I would be annoyed. If I'm bringing in serious money for a company, making serious money myself, you think I give a shit what your Mickey mouse maintenance schedule is or that the machine is full of holes? Your problem

Just eventually phase out hardware you know to be insecure and bring in stuff that IS secure (not to mention faster and cheaper)

Or do nothing

Or keep buying Intel, I mean who cares really
 
is wprime that important to you?

what game is single threaded?

cities XL is the "newest" one i can think of

A lot of emulators are basically single threaded, and ironically emulation of old games tends to be more demanding than contemporary games. It still matters if you're a gamer.
 
Come on intel open the flood gates. Release some form of Foveros chip!
I can imagine it's going to take a while to perfect 3d packaging, even if they introduce it on 14nm+++ process.:cry:
I want to one day OC a 3D stacked chip. Make it happen intel.
 
Sorry but we're talking patches for hardware flaws, 0 days, stuff like that, not MS office updates

I come from a place where uptime is crucial for business. If I have to take servers offline more often than what a user believes is necessary, that's a problem. Again, not talking about updates to a word processor. More like the tools and systems required to forecast liquidity for major financial institutions, for example. Compliance requirements can't wait until after the maintenance window unfortunately

Long story short, if I'm a user and I depend on infrastructure that isnt reliable because it's being brought down every other week for patching I would be annoyed. If I'm bringing in serious money for a company, making serious money myself, you think I give a shit what your Mickey mouse maintenance schedule is or that the machine is full of holes? Your problem

Just eventually phase out hardware you know to be insecure and bring in stuff that IS secure (not to mention faster and cheaper)

Or do nothing

Or keep buying Intel, I mean who cares really
What do you do you for a living? Your assessment appears to be spoken from a place of ignorance to the realities of daily operations of an I.T. department, let alone ITIL standards.

If you think that mission-critical systems can be brought offline at a moment's notice every time a new patch is released, you don't have a clue how the world of enterprise I.T. works. Did you even think about the fact that patches are often released, break something critical, and are retracted without hours or minutes of release?

Just the change process alone (planning, resources, impact, fallback, verification, approval etc.) makes ANY downtime a major task...and that has to be done while running normal operations too.

This is far from a simple "install & reboot".

A part of my job is making managers, systemowners and customers understand this.

And some shutdowns cost a lot of money...so it is nothing done lightly...something some people are utter clueless about as this thread shows.
 
I want to one day OC a 3D stacked chip. Make it happen intel.
Many phones are 3d stacked with ram on top of the cpu. It sucks ass.
With sillicon level stuff it'll suck just as bad for high power envelope stuff (OC). Don't get too excited.

It still matters if you're a gamer.
If 5% makes a difference you're kidding yourself.
 
Sorry but we're talking patches for hardware flaws, 0 days, stuff like that, not MS office updates

I come from a place where uptime is crucial for business. If I have to take servers offline more often than what a user believes is necessary, that's a problem. Again, not talking about updates to a word processor. More like the tools and systems required to forecast liquidity for major financial institutions, for example. Compliance requirements can't wait until after the maintenance window unfortunately

Long story short, if I'm a user and I depend on infrastructure that isnt reliable because it's being brought down every other week for patching I would be annoyed. If I'm bringing in serious money for a company, making serious money myself, you think I give a shit what your Mickey mouse maintenance schedule is or that the machine is full of holes? Your problem

This is a strawman. The only person that suggested "taking systems down every other week for patching" is you. I described our maintenance process in a general manner previously, it most certainly doesn't involve taking systems down every 2 weeks.

Your description also doesn't take into account major software installations that require interrrupting service availability, e.g. firmware, O.S. upgrades, application upgrades, let alone downtime due to failure or migration to a new system. There is no such thing as 100% uptime. I have a colleague that works at a level 1 trauma center hospital with an infrastructure budget in the tens of millions per year, massive redundancy at every level, and even they have occasional downtime.

Just eventually phase out hardware you know to be insecure and bring in stuff that IS secure (not to mention faster and cheaper)

Or do nothing

Or keep buying Intel, I mean who cares really

I linked to AMD CPU vulnerabilities earlier, as well as a statement directly from AMD indicating it is their position that no processor is 100% secure, particularly against side channel attacks to SMT.

I also laid out the case highlighting Intel's mis-steps and stated that if the decision to replace our ESX hosts came today, I would opt for Epyc CPUs.
 
This is a strawman. The only person that suggested "taking systems down every other week for patching" is you. I described our maintenance process in a general manner previously, it most certainly doesn't involve taking systems down every 2 weeks.

Your description also doesn't take into account major software installations that require interrrupting service availability, e.g. firmware, O.S. upgrades, application upgrades, let alone downtime due to failure or migration to a new system. There is no such thing as 100% uptime. I have a colleague that works at a level 1 trauma center hospital with an infrastructure budget in the tens of millions per year, massive redundancy at every level, and even they have occasional downtime.

We are talking about hardware flaws yes?

2 weeks might be an exaggeration, but we can agree that these flaws that keep popping up, almost once a month, are causing you to bring down systems MORE often than you would need to if they didn't need to be patched yes ?

If you're keeping these high severity patches for your maintenance window, you're doing it wrong. Your systems are exposed. If you are patching as soon as possible, then you're obligated to create outages.

These are the points I'm making that even Jimmy the gamer would grasp
 
We are talking about hardware flaws yes?

2 weeks might be an exaggeration, but we can agree that these flaws that keep popping up, almost once a month, are causing you to bring down systems MORE often than you would need to if they didn't need to be patched yes ?

If you're keeping these high severity patches for your maintenance window, you're doing it wrong. Your systems are exposed. If you are patching as soon as possible, then you're obligated to create outages.

These are the points I'm making that even Jimmy the gamer would grasp

You sound more like a end user or small scale server dude than a professional ITIL enterprise dude...some servers are used in production where even a small downtime cost a LOT of money...and some servers have change freezes for most of the year...and breaking something via an update will cost you a LOT.
Datacenters run hardware n+1 most of the time, but firmware/software often run current -2 to 4...especially on vital servers.
This should be common knowlegde for anyone working in enterprise...
 
Or starting splitting your environment increases costs of operation and makes daily task more complicated.
Right now we can move our virtual machines around as we need, no problems.
Introduce AMD servers...and the headaches start.
The business case is simply not there yet.
Why would moving a VM to an AMD server cause headaches? Honestly curious as most software runs just fine using both Intel and AMD. I haven't heard much about migration issues between x86-64 systems... Now switching to ARM... That's another story.
 
Why would moving a VM to an AMD server cause headaches? Honestly curious as most software runs just fine using both Intel and AMD. I haven't heard much about migration issues between x86-64 systems... Now switching to ARM... That's another story.

Because you're moving the VM live and the CPUs instruction sets need to be the same. So in VMware land you use EVC to make sure all the processors in the cluster are compatible for vMotion, which will mask the instruction sets that not all the processors support. You can only do that with Intel processors or AMD processors, you can't do it across both.

https://kb.vmware.com/s/article/1003212

Hyper-V uses compatibility mode to do the same sorts of things.

https://docs.microsoft.com/en-us/pr...ows-server-2012-r2-and-2012/dn859550(v=ws.11)
 
We are talking about hardware flaws yes?

2 weeks might be an exaggeration, but we can agree that these flaws that keep popping up, almost once a month, are causing you to bring down systems MORE often than you would need to if they didn't need to be patched yes ?

If you're keeping these high severity patches for your maintenance window, you're doing it wrong. Your systems are exposed. If you are patching as soon as possible, then you're obligated to create outages.

These are the points I'm making that even Jimmy the gamer would grasp

If you're creating an outage every time there is a new security patch related to side channel attacks your systems are down almost every day. It's not just microcode updates, there's other firmware updates, hypervisor updates, O.S. updates, and a litany of application and plug-in updates. Waiting for a maintenance window is the industry-recognized standard (ITIL/ITSM) for dealing with these issues. If your team determines the severity of a particular threat to be so high that it must be addressed immediately, that is your call to make, and that's why the emergency change process exists, and yes, we do take advantage of it from time to time, but only when there is a specific threat and not some academic vulnerability that hasn't been seen in the wild.

Look, if you want to take down mission-critical systems in your environment every time a mouse farts be my guest. I'm going to make that determination on a case-by-case basis and only do out-of-band maintenance when the situation warrants.

Again, every environment is different. I don't work for the world's largest I.T. department or anything, but we have several hundred virtual servers to account for in any given maintenance window, and changes need to be made carefully. Patch testing is critical if you want to avoid unforeseen outages related to maintenance, and that takes time and planning. I'm not installing any update day one unless I have no other choice. You want to be a guinea pig - go ahead.
 
Exactly, which is why blanket statements like "this is enterprise, that's how things are done" are stupid. Users change, hardware changes, you need to adapt, even Jimmy the gamer knows that

First of all, I didn't make any of those statements. What I have said is that there is an industry-standard for change management. Most enterprise I.T. departments do adhere to ITIL/ITSM standards. I don't know what you do in your environment, that's up to you.

It is funny that you want to play the victim card now though, after all the strawman arguments have run out and your assumptions proven wrong. Cute.
 
First of all, I didn't make any of those statements. What I have said is that there is an industry-standard for change management. Most enterprise I.T. departments do adhere to ITIL/ITSM standards. I don't know what you do in your environment, that's up to you.

It is funny that you want to play the victim card now though, after all the strawman arguments have run out and your assumptions proven wrong. Cute.

Victim??

I've had business partners that make more for our organization in a month than what the actual infrastructure costs lifetime, if I was to apply the standard methods and practices or if I was to tell them that I was getting them another Wintel box when they spent the past year working around outages, they'd laugh in our faces, promptly replace me with someone who would do a much better job.

These situations are more common than you think and I was just bringing a new point of view to the discussion.

Other than that it's really been a pissing contest which I won't participate in anymore
 
Back
Top