Meltdown – The Intel CPU Security Flaw.

Meltdown – The Intel CPU Security Flaw.

Intel's Computer chip security flaw.
Intel’s CPU flaw

A critical design flaw in Intel based CPUs, going back ten years has been discovered by security researchers. Who have coined the name “meltdown” to describe the bug built into most Intel based chips and by extension most of the worlds computers.

The flaw allows the Kernel memory in most x86-64 operating systems, Windows, Macs and Linux, to be accessed by specially written malware that could then provide a users data to an attacker or allow the attacker to install other software on the compromised system.

While Intel has ramped up its PR machine to downplay the flaw. I find it a bit odd from an ethics viewpoint that their CEO Brian Krzanich, sold 24 million dollars in stock options AFTER Intel was informed of the flaw by Google. As reported by Business Insider…

http://www.businessinsider.com/intel-ceo-krzanich-sold-shares-after-company-was-informed-of-chip-flaw-2018-1

As a physical replacement (after a redesign) of every CPU sold in the last ten years would be almost impossible to accomplish, its going to have to be a software fix implemented at the operating system level to address this blunder.

Linux programmers already have a Kernel replacement being tested while Apple and Microsoft have made statements their operating systems will be patched in the days and weeks to come.

But due to the nature of the flaw all these fixes will have to bypass or change the way the O/S will address each systems Kernel memory, resulting in a system slowdown of anywhere from 5% to 30%.

So for some end users their computer may lose close to 1/3 of their speed overnight, after the respective patches are applied to their operating system. All to address Intel’s massive screw up.

I am sure the lawyers are already preparing their class action lawsuits as I write this. But it won’t be much help to the regular computer user.

And from a computer repair and support viewpoint, this will mean IT support departments, computer stores and independent computer repair technicians will start to soon receive a large influx of support calls from users that have no idea Intel’s bug is the cause of the coming slowdown and will demand a fix.

And unfortunately one will not be coming soon from Intel, as it takes years to redesign and re tool production for a new or at least updated CPU. And while many people may run out and buy a new computer once they discover their current computer’s performance hit after the patches are installed. It will not really do that much good if they try and get a system with the same specs as they had before. As the chips will still be defective.

UPDATE 1/10/18

While Apple, Microsoft and others have pushed patches to address this issue, it seems that these fixes are not ready for primetime just yet. With AMD chipset users and other systems that use certain antivirus products either being bricked after being updated or stuck in a reboot loop.

At this time as no real world attack has been demonstrated to be out in the “wild” just yet. It may be a better idea to wait to install these patches until they can be demonstrated to be working on the vast majority of systems. Not 100% safe, but better than bricking your system. I am sure in the weeks to come working patches will become available.

Apple slows down iPhones?

Apple has, after a recent update been accused of intentionally slowing down it’s older iPhones. And after a few bloggers have tested their old phones, it seems to be the case.

So is this some conspiracy to get you to buy a new phone at almost $1000 a pop, or is their a reasonable explanation to this “update?”

It maybe a combination of both. Apple does not make any extra money if you hold onto your iPhone forever. And if you have seen the iPhone “Season” commercials it looks like your supposed to buy a new iPhone every year.  And I guess it’s to their advantage if they can get you to spend upwards of $1000 every 365 days. And all this blends in very well with the trash talk that Apple is slowing down your old phone to make you buy a brand new one.

But Apple claims that the update was to prevent older iPhones from shutting down unexpectedly. Which makes a little sense, knowing that older batteries do indeed discharge faster than newer ones will and a phone that quickly shuts down after a charge is inconvenient to use.

In my view it might be a mix of both reasons. Apple does want to increase sales year over year, but also needs to try and make sure their older products do not get a reputation for failing badly at the end of their life cycle. And I might 100% believe their claim of such if they had of implemented this update in a different way.

Instead of a update that installs this new battery management protocol in the background, I would have made some kind of popup asking the phone user if they would like to have their phone slowed down to increase battery life. Then the phone owner knows what is going on and made the choice themself.

By not asking for permission to implement a major change in the function of their phones, Apple left themselfs wide open to these claims against them. And I doubt if they will ever be able to get rid of these rumours without changing the update in the way I described above.

So is this a flat out fraud? Slowing down phones just to get people to buy the next one? I doubt it. My thinking takes me to a conclusion that they indeed were trying to fix something. But they’re weird implementation of the fix also implies to me that they had few qualms of hiding it in such a way that they would not be obverse to selling a few new phones along the way.

Update: 12/28/17

Apple has come out and apologized for their bad handling of this software update and is now offering consumers a $29 battery replacement. But I still have to wonder why they would not just adjust the software update to let end users decide if they want their iPhones speed changed or not. In the end still being forced to buy something or having your phone intentionally slowed down, would play into the rumors that they are just trying to find a way to force people to buy new equipment.

 

Taking out the trash

Seems in the past few weeks a bunch of old tech favs have fallen by the wayside.

Piriform’s Ccleaner had a bad security breach that left it’s utilities hacked and without a clear response and explanation on how their security failed so badly are now off my list of recommend software.

AIM Messenger, once a classic instant messaging platform is calling it a day. Now if AOL will just stop scamming all the computer illiterate with their AOL Desktop software I will be happy.

And Today Microsoft admits that they are now out of the phone business. Letting Windows 10 mobile die off. If not so gracefully.

The one rule in technology is it always changes, and I am happy to see the above fade away in favor of more modern,  secure and helpful technology that I can tell my computer repair clients about.

 

 

Watch out for fake antivirus programs

Just came across this Fake antivirus / scamware
“professional cleaning software”.

Could you be any more creative with a name?

If you decide to install security / antivirus software consult an expert first or you may end up with a fake that does nothing but take your money.

 

From Homeland Security / US-CERT

If your using Thunderbird to check your email…

Original release date: August 21, 2017

Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

US-CERT encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 52.3 and apply the necessary update.

Get the update version here

Know your software

On computers as well as smartphones I find people download software without even doing a google search to see if it is any good. Yet alone to check if the software is just bait for a virus infection or has had other issues discovered with it. Such as bugs or not working with certain O/S or hardware.

In addition software that is great today can be dangerous tomorrow if hackers compromise the source code or somehow are able to control the website providing the downloads for the software.

Yesterday some popular extensions for google chrome created by Chris Pederick have been reported to have been compromised by hackers.

If your running any of these add-ons you should remove them ASAP…

Chrometana
Infinity New Tab
CopyFish
Web Paint
Social Fixer

This is just one days hacking news as both Chrome extensions TouchVPN and Betternet VPN were also compromised in June.

So before downloading any program make sure you check it out. And if you need help ask a computer professional such as RenoGeek to help you with your software choices and security.

The coming end to privacy

The new Amazon Echo will have a “drop-in”, (feature???) where people you approve can just “drop-in” and video chat instantly. No picking up or screening the call, they just show up on your screen and start chatting. No warning.

In a world that has trained people already to never shut off their cell phones and spend the first part of their day checking emails and updating their status and where people think you died if you don’t answer a text in under a minute, it is a disturbing trend.

We already get rated at work on how “Available” we are and even Facebook will show how often and how fast you respond to their version of text. Now in this always on world companies are pushing us to never be away at all. Even in the book 1984 there were corners to hide in from time to time. But forget that in the new 24/7 “never away” world we are creating.

While I have spent my life working with and promoting all things “Tech”. I resist the idea that you should or even must be available to anybody in the world 24/7.

Technology is supposed to make your life better and free you to do the things you like. If any software or hardware device increases your workload or decreases your enjoyment then it has missed the whole point of why it should exist in the first place.

Testing software

I test software all the time as I need to be familiar with any products my customers may use or try.  Today’s test was for Easeus partition master 12. A consumer level drive partition and maintenance utility.

While I would give the program itself a 3 out of 10 for usability, as most of the real functions you would need already exist in other free utilities and the price they want for their version is hundreds of dollars over what their competitors ask for.  The real disappointment was with their business practice of including crap ware with their product, and the fact the program changes your default search and home pages.

Now  I know if you look carefully and unchecked the right box on the right EULA page you don’t have to install this junk. But for their target end user who would be using this utility because they are not very computer savvy, it can easily be missed and that consumer would then have five extra programs and new search and home pages they never asked for.

Also as a bonus lesson on how not to do a uninstall program. I would suggest they dump the pop up webpage asking yet again to change your search pages when you try and uninstall the program. After all if your uninstalling, you are saying in general you did not like the program and want to go back to the way things were before installing said software. Right?

Windows 10 creative edition

The new service pack or update for Windows 10 comes out next Tuesday and seems to have a few new useful features. Such as better privacy controls. A Bluetooth enable smart lock that uses your phone’s proximity as a “key” to unlock your system.  And a “smart” menu that adds folders back to the “start” or Windows flag main menu. Which should make some people that have switched to “classic menu” and other software add-ins think twice about adopting the new defaults.

I have already installed a “Early” adopter version of the update and over all it seems ok except it is missing some items on the right click “context” menu, Control panel seems to be one of these missing items. Time will tell if this was just a oversight of the early edition or dovetails into MS plans to put the guts of a windows machine deeper and deeper in the system to avoid regular user from messing with settings.

As always, I anticipate a number of service related issues requiring service calls over the next few months as the kinks are worked out of this new update.

 

LastPass warns users while it fixes a ‘MAJOR’ vulnerability.

While I am all for any attempt by end users to secure their passwords, I have always been a bit leery of using services such as Lastpass. As they are a high value target. Hackers know if they can get into a service like this they will have access to millions of accounts. I prefer my passwords in a spread sheet encrypted with a strong password. Seems old school to some. But I don’t have to change all my passwords every time Lastpass is in the news. And this is not the first security threat they have had to warn users about.

So….

If your using LastPass, time to do the password dance again…

ie: change your passwords now.