On Sat, 13 Jan 2018, Murray McCullough via cctalk wrote:
I wrote about Spectre and Meltdown recently: INTEL
took its time to inform
the world! Did it inform the world back in earlier days about potential
flaws? Not to blame INTEL only: What about Zilog, etc.? Or did pre-Internet
era protect us computer-classic users? What about running emulation
software as I???ve been doing with ADAM?
Happy computing!
Few emulations are exact enough to duplicate all bugs.
Q: Should an emulator do an exact imitation, or should it work the way
that it is s'posed to? (behavior? or specs?)
Pre-internet protected against most web based malware. But, there are
instances of virus software ever since people exchanged files and disks.
(I'm unaware of any punch-card attacks, but trojans were possible when
people used prior subroutines)
Most prevalent were boot-sector virus attacks and executable file virus
attacks. As software became too eager to help provide dancing kangaroos
and yodelling jellyfish, harmful macros in "productivity software" macro
capabilities also started to surface.
Internet made it much easier to acquire a trojan that would mess you up.
Although reduction in sneaker-net has virtually eliminated boot-sector
spread.
How fast SHOULD the public response be?
If they become aware of that kind of flaw, and can delay public knowledge
until they have patches, they significantly reduce the risk of actual
instances of malware using the exploits.
Note: AFAIK, no examples of actual use of Spectre nor Meltdown have yet
been encountered.
If Microsoft had been in less of a rush, would they still have shipped
patches that gave a BSOD with AMD processors?
After public announcement, there ARE people actively working on developing
malware using it.
Similarly, after the Michelangelo Virus media panic, one of the variants
later encountered was a fairly obvious "wannabe" consisting of
"Stoned"
patched to behave like the publicized Michelangelo behavior. The
"thousands or millions of computers will be destroyed" was bogus.
(BTW, the name "Michelangelo" was based on looking at a calendar to see
what was special about March 6. If McAfee had had a Texas calendar,
instead of a KQED (PBS) one, then it would have been named "Alamo")
Intel made some mistakes in handling the FDIV bug. First, they made the
assumption that the bug would be amazingly rarely encountered due to their
calculations of probability of randomly hitting "winning" combinations of
numerator and denominator, but failed to allow for any of the "winning"
numbers happening to be more commonly used.
THEN, they offered replacements to anybody who could PROVE that it
actually affected their use of the machine. A more appropriate response
would have been, "We WILL replace all affected processors! BUT, there
aren't enough in stock right now to handle all immediately, so we will
START by replacing those for all who can prove that they are affected, and
then get to all others as we can manufacture more suitable replacements."
(Perhaps the majority of people would have already replaced their machine
before their turn came around! What is it? "a new machine every 18
months"?)
Many of the general public had been led to believe that it would produce
completely WRONG results, rather than the LOW ORDER bits of the mantissa
being incorrect. No, it was not capable of "causing the wrong amount of
sales tax to be charged!"