Announcement

Collapse
No announcement yet.

The Performance Impact To POWER9's Eager L1d Cache Flushing Fix

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • ezekrb5
    replied
    Originally posted by kgardas View Post

    I don't agree. I think reality is more on a side of responsible disclosure than on a side of wild publishing of vulnerabilities online. Besides responsible disclosures are also motivated financially so you can't blame researches for using them... And also I'm not sure if sometimes by using un-responsible disclosure if you would not put yourself into a danger of a lawsuit -- specially in US.
    If there were any real repercussion about disclossing others, then you just have to disclose them anonymously. You let the infosec communities spread the news around and that's it.
    Most of the countries which hold the data or use the data are not even the US and lack law enforcing (or don't even have said laws).

    Leave a comment:


  • kgardas
    replied
    Originally posted by sandy8925 View Post

    Sure they might take you to court, but they won't have a case. You didn't create the vulnerability, nor did you hack the hospital. You just disclosed the existence of a problem/flaw. There's no guarantee that the flaw wouldn't otherwise have been discovered (or that it hasn't already been discovered and is being actively exploited).
    So they may take you to court and you need to allocate your time for it, your energy for it and also your money (or even loan) to get some good lawyer for it. Do you agree?
    And now, if you would do responsible disclosure in cooperation with the company, do you think the risk for you to end in the court would be same or lower?

    I'm asking since IMHO with responsible disclosure the risk for you (as researcher/publisher) will be lower so at the end of the day you will save (possibly) more time for your research instead of organizing your court defense... What's better?

    Leave a comment:


  • Guest
    Guest replied
    Originally posted by kgardas View Post

    I'm not lawyer, but I'm not so sure at all. Imagine extreme case: you make unresponsible disclosure and company is not able to patch immediately but it takes 1 year. During that year someone develops attack code and either he/she or some other use that to attack hospitals. They ask for ransom. Communication fails, some hospital does not pay, and hence ends under active attack. Medical instruments are failing one after another and in an ongoing chaos someone dies. The "someone" is later proved to has high chance to live, "he/she" was nearly all right but needed medical instrument for live support at that time, but since medical instrument failed, live is gone. Someone's family does have some money and pay for analysis (they or hospital itself) and result is that instrument failure was direct result of attack which used your not-properly disclosed vulnerability. Attacker is unknown. You as author of vulnerability disclosure are well known.
    Do you still think the hospital or family or both parties will not take you to the court? Especially in US system? (Caveat: as EU citizen I know US system just from Hollywood movies).
    Sure they might take you to court, but they won't have a case. You didn't create the vulnerability, nor did you hack the hospital. You just disclosed the existence of a problem/flaw. There's no guarantee that the flaw wouldn't otherwise have been discovered (or that it hasn't already been discovered and is being actively exploited).

    Leave a comment:


  • kgardas
    replied
    Originally posted by sandy8925 View Post

    Unreasponsible disclosure can only put you in danger of a lawsuit, if you're intentionally lying that a vulnerability exists, and in that case only a defamation suit can be filed (and the company has to prove that you're lying).
    I'm not lawyer, but I'm not so sure at all. Imagine extreme case: you make unresponsible disclosure and company is not able to patch immediately but it takes 1 year. During that year someone develops attack code and either he/she or some other use that to attack hospitals. They ask for ransom. Communication fails, some hospital does not pay, and hence ends under active attack. Medical instruments are failing one after another and in an ongoing chaos someone dies. The "someone" is later proved to has high chance to live, "he/she" was nearly all right but needed medical instrument for live support at that time, but since medical instrument failed, live is gone. Someone's family does have some money and pay for analysis (they or hospital itself) and result is that instrument failure was direct result of attack which used your not-properly disclosed vulnerability. Attacker is unknown. You as author of vulnerability disclosure are well known.
    Do you still think the hospital or family or both parties will not take you to the court? Especially in US system? (Caveat: as EU citizen I know US system just from Hollywood movies).

    Leave a comment:


  • Guest
    Guest replied
    Originally posted by kgardas View Post

    I don't agree. I think reality is more on a side of responsible disclosure than on a side of wild publishing of vulnerabilities online. Besides responsible disclosures are also motivated financially so you can't blame researches for using them... And also I'm not sure if sometimes by using un-responsible disclosure if you would not put yourself into a danger of a lawsuit -- specially in US.
    Unreaponsible disclosure can only put you in danger of a lawsuit, if you're intentionally lying that a vulnerability exists, and in that case only a defamation suit can be filed (and the company has to prove that you're lying).

    Leave a comment:


  • kgardas
    replied
    Originally posted by ezekrb5 View Post

    I know about that, but that's just courtesy, in the real world people will flame you, will publish your vulnerabilities online, and will take advantage of them, specially if you are a big company that has much to loose. I'm not saying that's good, but that's reality, there are no safe spaces. We have to be grateful this was patched ASAP and nobody got pwned.
    I don't agree. I think reality is more on a side of responsible disclosure than on a side of wild publishing of vulnerabilities online. Besides responsible disclosures are also motivated financially so you can't blame researches for using them... And also I'm not sure if sometimes by using un-responsible disclosure if you would not put yourself into a danger of a lawsuit -- specially in US.
    Last edited by kgardas; 26 November 2020, 05:47 PM.

    Leave a comment:


  • ezekrb5
    replied
    Originally posted by kgardas View Post

    You have probably not read about information embargo right? If not, google for it. It's common for security researchers to report vulnerability with proof of concept code and then wait months till manufacturer react, fix their issues and is ready to go to open public with report. So far the longest embargo I've seen was nearly 2 years IIRC! And that was Intel involved...
    I know about that, but that's just courtesy, in the real world people will flame you, will publish your vulnerabilities online, and will take advantage of them, specially if you are a big company that has much to loose. I'm not saying that's good, but that's reality, there are no safe spaces. We have to be grateful this was patched ASAP and nobody got pwned.

    Leave a comment:


  • kgardas
    replied
    Originally posted by ezekrb5 View Post
    At least they moved quickly and fixed this very soon.
    People bash intel for the security flaws but intel did move quite fast to fix them.
    [...]
    You have probably not read about information embargo right? If not, google for it. It's common for security researchers to report vulnerability with proof of concept code and then wait months till manufacturer react, fix their issues and is ready to go to open public with report. So far the longest embargo I've seen was nearly 2 years IIRC! And that was Intel involved...

    Leave a comment:


  • edwaleni
    replied
    Based on this test set it appears that reads and seeks are most impacted which makes sense. Would be interesting to know if the POWER10 design caught this or if a new stepping will be needed.

    Leave a comment:


  • Paradigm Shifter
    replied
    Originally posted by AndyChow View Post
    It's not that bad for the fix. This is L1 data flushing, I would have imagined 30%+ problems.
    I'll be honest, I was expecting to see anything in the range of 20-50% impact, depending on workload. To see, what, 0-5% impact is far less painful.

    Leave a comment:

Working...
X