# If you're going to buy a new PC, wait - or buy AMD (big Intel bug found)



## LDS (Jan 2, 2018)

It looks an hardware bug has been identified in Intel chips that requires changes in any OS (Windows, macOS, Linux, etc. etc.) which will have a substantial impact on performance. AMD chips are not affected.

See, for example, here: http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

The real performance impact will be assessed as soon as the changes will be released, till then there's a layer of secrecy because the bug has big security implications.

IMHO anybody going to buy a new PC should be aware of this, many previous benchmarks may become invalid.

Let's see how the photo applications will be impacted by these changes, if everything is confirmed.


----------



## Don Haines (Jan 2, 2018)

LDS said:


> It looks an hardware bug has been identified in Intel chips that requires changes in any OS (Windows, macOS, Linux, etc. etc.) which will have a substantial impact on performance. AMD chips are not affected.
> 
> See, for example, here: http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
> 
> ...



I wonder if the bug will affect GPU processing..... a decent GPU can (depending on what software is in use) have more impact than the CPU.....


----------



## Orangutan (Jan 2, 2018)

Don Haines said:


> LDS said:
> 
> 
> > It looks an hardware bug has been identified in Intel chips that requires changes in any OS (Windows, macOS, Linux, etc. etc.) which will have a substantial impact on performance. AMD chips are not affected.
> ...



From what little I've read, probably not. It appears to be a memory segregation problem in the memory management/paging system, which allows unprivileged processes to see privileged data. I don't believe GPUs do memory paging like this because it's not really necessary/appropriate to the kind of work they do, and there is a performance/complexity hit (I'm not an expert, I'm happy to be corrected).


----------



## LDS (Jan 2, 2018)

Don Haines said:


> I wonder if the bug will affect GPU processing..... a decent GPU can (depending on what software is in use) have more impact than the CPU.....



Without being too technical, this bug should have an impact when applications call the OS kernel - the GPU itself is not affected, but often to send/get data from/to the GPU an application may have to go through calls to the kernel. It looks the performance loss depends on how many times this happens - and that depends on how the application and the libraries it uses are written.

Details are still very scanty - and it's late in this part of the world. If this will be confirmed and new details are made available, I'll update this thread.


----------



## brad-man (Jan 2, 2018)

It figures. For the last 10 years or so I've built my PCs from scratch using AMD processors. This last time around I got lazy and bought a Dell i7 machine.

"Looks like I picked the wrong week to quit AMD."

https://www.youtube.com/watch?v=VmW-ScmGRMA


----------



## YuengLinger (Jan 3, 2018)

Hopefully my 8th gen CPU solved this particular problem.


----------



## Mt Spokane Photography (Jan 3, 2018)

The really big impact is on cloud servers and business servers used by banks, online stores, -- the whole world. I doubt if the impact on personal computers is a big deal, so many are already compromised that a few more would not make a difference.

Slowing down already slow secure applications could have a huge impact. I suspect that the timing - just after Christmas is meant to give users time to replace or add to existing hardware in order to handle the loads come next Black Friday.


----------



## Mt Spokane Photography (Jan 3, 2018)

Intel has a tool to check your system. Here is my results.


----------



## Orangutan (Jan 3, 2018)

Mt Spokane Photography said:


> Intel has a tool to check your system. Here is my results.



That appears to be the test for the Management Engine vulnerability, not the recently-revealed kernel memory leak. The Management Engine uses a physically separate (smaller) CPU.


----------



## Mt Spokane Photography (Jan 3, 2018)

Orangutan said:


> Mt Spokane Photography said:
> 
> 
> > Intel has a tool to check your system. Here is my results.
> ...



Yes, there was a link to the test tool in a article I read, it was discussing multiple issues. At least, I was abe to download fixes. Dell had posted one just a few days ago. Now, to fix the rest of my pc's.

I doubt if Windows will give any options for opting out of the fix. I think I'll download some benchmark software and compare before and after.

I'm not in the market for a new pc, but have 4 that are affected. Lawsuits are coming.


----------



## Sabaki (Jan 3, 2018)

Just put a new PC together on Saturday: 
i7 8th Gen / 32gb RAM, should I be worried?


----------



## sulla (Jan 3, 2018)

Sabaki said:


> Just put a new PC together on Saturday:
> i7 8th Gen / 32gb RAM, should I be worried?


Yes, you should be. Based on the information currently available, this CPU *will* be affected.
It seems a *major*, horrible issue.


----------



## sulla (Jan 3, 2018)

Sabaki said:


> Just put a new PC together on Saturday:
> i7 8th Gen / 32gb RAM, should I be worried?


Actually the performance impact of the bugfix on newer intel CPUs is smaller than on older, because newer CPUs handle the Translation Lookaside Buffers more efficiently than older intel CPUs, and those buffers play a crucial role in fixing the design bug. But all recent intel CPUs will be affected.


----------



## LDS (Jan 3, 2018)

Mt Spokane Photography said:


> I doubt if the impact on personal computers is a big deal, so many are already compromised that a few more would not make a difference.



There is the security impact (unpatched systems may be vulnerable to future attacks exploiting the bug), and there is the performance impact - the way the bug is patched requires changes that will make kernel calls slower. 

In Linux it looks there will be an option to accept the risk and keep performance at actual levels. For Windows and macOS no information has been released yet.

If such an option is made available, well protected workstations used only for specific tasks and running known software only - i.e. image/video processing - and nothing else, could accept the risk, but some care would be needed.


----------



## sulla (Jan 3, 2018)

sulla said:


> Actually the performance impact of the bugfix on newer intel CPUs is smaller than on older, because newer CPUs handle the Translation Lookaside Buffers more efficiently than older intel CPUs, and those buffers play a crucial role in fixing the design bug. But all recent intel CPUs will be affected.


As of now, I understand that if the processor supports the "PCID" feature, the impact of the bugfixes will be smaller. You can google for your processor identifier and pcid to find out, if this is the case or not. I have a i5 3570K (Ivy Bridge) and it has the PCID feature.

It remains to be seen how large/small the performance impact will be.


----------



## midluk (Jan 3, 2018)

sulla said:


> sulla said:
> 
> 
> > Actually the performance impact of the bugfix on newer intel CPUs is smaller than on older, because newer CPUs handle the Translation Lookaside Buffers more efficiently than older intel CPUs, and those buffers play a crucial role in fixing the design bug. But all recent intel CPUs will be affected.
> ...


I wouldn't have expected that Ivy Bridge counts as "new", but indeed, it is listed in the flags in /proc/cpuinfo also for my i5-3550.
I wouldn't expect the fix to have any big influence on cpu-only image or video processing. There shouldn't be many syscalls going on. For GPU-accelerated tasks it remains to be shown.

But even independent of this Intel CPU bug, if you have highly multithreaded work, AMD Ryzen will likely give you better performance than Intel for the same (or even less) money.


----------



## symmar22 (Jan 4, 2018)

That's what happens when a processor cartel gets a hold on the globality of the market for almost 10 years. I cannot believe that bug was just discovered since it seems to have been here for very long. But when there is no concurrence who cares ?

A big thanks anyway to AMD to have ryzen from the dead (sorry for this one), the effect on Intel was immediate : within 6 month they launched a dozen of CPUs that were not suppose to exist at half the price of the previous gen. That is a thought for the people who want Canon to give up sensor development and buy Sony sensors instead. Once Sony will be king of the cartel, do really think they will keep pushing the best sensors they can ?

As for the AMD Ryzen, it is not however the best choice if you use Photoshop and Lightroom were fast Intel CPUs still have an edge. Part of the problem is the less-than-optimized Adobe code, that is still unable to use the multiple cores. I hope Adobe will finally put some of their huge profits to work on their obsolescent code, since for now the fastest quad core (i7 8700k) is still the best solution (faster than 16 cores Xeons) to work in Lightroom and PS.

This is a bit of a primitive behaviour, since most serious CAD and high end video editing software make perfect use of multi core processing since years.

When I stared with computers in 1999, the hardware was the problem since there was never enough power to do what you wanted to quickly and had to upgrade your machine every year. Nowadays, the software is lagging behind the hardware and needs to be better optimised to use the full capacity of the hardware.


----------



## Mt Spokane Photography (Jan 4, 2018)

Intel, AMD, and ARM all have products affected, the story is still unfolding. Arm processors are more numerous than all the others together, but many are not utilized in such a way as to be a issue.

I wonder about Canon's cameras, pretty much all cameras use ARM based processors, and those with Wi-Fi may be accessable by Malware. Considering that no one has actually figured out how to take advantage of the issue (maybe in secret labs?), camerasare way down the list as primary targets, printers may be higher, since they now have wi-fi and are connected to networks.


----------



## LDS (Jan 4, 2018)

Mt Spokane Photography said:


> Intel, AMD, and ARM all have products affected, the story is still unfolding. Arm processors are more numerous than all the others together, but many are not utilized in such a way as to be a issue.



There are three separate issues, one named now "Meltdown", and the other two under the name of "Spectre" (now IT security researches like to name such things...)

The former is what surfaced first, and it looks affects Intel and some ARM chips and lets to read kernel memory. The others let a process (an application) to read data from other processes, or its own (which can be used from restricted code - i.e. web sites Javascript, to get data from the browser it's running in). These affect AMD chips as well.



Mt Spokane Photography said:


> Considering that no one has actually figured out how to take advantage of the issue (maybe in secret labs?),



There are now some proof of concepts shown, i.e. stealing password from a password manager. Usually, until patches are widely available researches don't tell how to actually exploit the attack fully.

Anyway, to exploit this vulnerabilities you need to download and run code on the affected CPU - you can't exploit it remotely simply having a network connection is not enough. So cameras shouldn't be affected - and that's why I believe that cameras running mobile OS like Android and allowing "apps" to be downloaded and run would be much less secure.

For details:

http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/


----------



## Mikehit (Jan 4, 2018)

LDS said:


> AMD chips are not affected.
> 
> See, for example, here: http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/



Are you sure? The link you posted ends with 



> Bear in mind there are two flaws at play here: one called Meltdown that mostly affects Intel, and what the above article is all about, and another one called Spectre that affects Intel, AMD, and Arm cores.



Damned if you do, damned if you don't...


----------



## Orangutan (Jan 4, 2018)

Mikehit said:


> Damned if you do, damned if you don't...



They're affected in different ways, so we'll have to wait a few weeks and see which suffers the greatest performance hit. I'm sure all the benchmark sites will update their results as soon as they've got a patched OS to test on.


----------



## sulla (Jan 4, 2018)

symmar22 said:


> That's what happens when a processor cartel gets a hold on the globality of the market for almost 10 years. I cannot believe that bug was just discovered since it seems to have been here for very long. But when there is no concurrence who cares ?


Indeed, monopolies are a very bad thing, but I'm sure this design flaw is not a consequence of laziness because of a monopoly. That's just a design flaw that has been discovered by Google researchers in June 2017, it seems.

What surely is the result of monopoly-laziness on intel's part is processors with limited performance improvement and unneccessarily high prices over the last 10 years. Let AMD announce fast processors, and all of a sudden, intel shells out 6-core CPUs, loweres prices and all of that... Thanks, AMD, for breaking the intel-monopoly, indeed. But the design flaw has nothing to do with that, I'm sure.


----------



## symmar22 (Jan 4, 2018)

sulla said:


> symmar22 said:
> 
> 
> > That's what happens when a processor cartel gets a hold on the globality of the market for almost 10 years. I cannot believe that bug was just discovered since it seems to have been here for very long. But when there is no concurrence who cares ?
> ...



Agreed the design flaw has likely nothing to see with Intel monopoly if we see it happening as well with AMD and ARM processors. The recent launches of Intels new CPUs on the other hand have everything to see with cartel behaviour. Same as Adobe laziness to update their code.

As an Intel user, I'd love to see more performance per dollar, and I am really happy that AMD has shaken the tree quite a bit lately. I would have loved to see Intel management trouble when they learned about Ryzen. Vacation is over, dude.

For that reason I am very happy when Nikon or Sony deliver excellent cameras, it forces Canon to at least try to come close performance wise.

This is the kind of bug that will scare a lot of people (probably for no reason in most cases) and could relaunch the computer industry for a few years, since a lot of people will want to get rid of the "dangerous" CPU or won't be happy with the loss of performance related to the patch (I read up to 30% performance loss on some older CPUs). Personally I was thinking about upgrading my PCs soon, I think I'll wait a year more.

As for the effect on Canon ARM processors, I would not worry too much. Someone working on a malware to disable your camera proprietary system is likely a remote threat. If our cameras were running a version of Android, that would be another problem...


----------



## LDS (Jan 4, 2018)

Mikehit said:


> LDS said:
> 
> 
> > AMD chips are not affected.
> ...



The first news on January 2nd were about what is now called "Meltdown", which looks to impact only Intel chips and some ARM, and the solution of which may have the biggest impact on performance, at least on Intel.

Then Google Zero Project (a research project dedicated to IT security) released details about the other (which can be used in two ways). This one should not impact performance, but could be more difficult to fix.

It's an ongoing story, we'll know the full details when patches will be ready, people start to install them and benchmarks are released - in our case those regarding the workflow we need to run (although many of us don't run image processing applications only, but let's stick to them in this forum).

Maybe the thread title should be updated.


----------



## LDS (Jan 4, 2018)

symmar22 said:


> As an Intel user, I'd love to see more performance per dollar,



Beware that the root cause of this issue is probably that. The CPU delays security checks to improve performance. Just it turned out to be a bad choice - as long as you can't run only fully trusted code. Just, performance sells better than security.

We see something alike in cameras, where some people may be obsessed with fps or megapixels while overlooking other critical aspects of image capture.


----------



## ethanz (Jan 4, 2018)

Mt Spokane Photography said:


> I wonder about Canon's cameras, pretty much all cameras use ARM based processors, and those with Wi-Fi may be accessable by Malware.



It may be a good thing for me the 1dx2 doesn't have built in wifi then lol.


----------



## Mt Spokane Photography (Jan 4, 2018)

ethanz said:


> Mt Spokane Photography said:
> 
> 
> > I wonder about Canon's cameras, pretty much all cameras use ARM based processors, and those with Wi-Fi may be accessable by Malware.
> ...



Its the big government sponsored organizations that will go after this bug. They have the resources to fins a way to exploit it. 

Amazon has already patched most of their servers, and I'd expect that the other big players have also. This leaves the medium ones whose IT budget has been cut to save costs, and smaller governmental organizations stalled in paperwork and politics.

I have created a separate password for each website, and use a password manager to login. If one site is hacked, they can't use the data to get to another. I should create email aliases for each one as well, so I'd have a hint if one was compromised. There are 298 as of this morning, I don't want to create that many email addresses, but if I did 20 a week, it would not take more than a few months to get there.


----------



## Don Haines (Jan 4, 2018)

LDS said:


> We see something alike in cameras, where some people may be obsessed with fps or megapixels while overlooking other critical aspects of image capture.



Yeah..... who cares if the exposure or focus is right, as long as it is fast!


----------



## symmar22 (Jan 5, 2018)

LDS said:


> symmar22 said:
> 
> 
> > As an Intel user, I'd love to see more performance per dollar,
> ...



What I meant by "more performance per dollar " is that Intel prices were artificially inflated by the lack of concurrence. As soon as AMD was back in the race, some prices were almost divided by 2. Intel has been milking the market for almost a decade, hopefully these days are gone. I am the first one to prefer quality over quantity, but the lack of performance improvement with Intel CPUs these las years is at best minimal. 

Since Sandy bridge, we're talking about an average 5% per generation, that is when they were not going backwards (Broadwell). I am still using an Ivy Bridge 3770K, and until now saw no reason to upgrade.

It's mostly the sum of all new tech (NVM-E SSDs, USB 3.1, Thunderbolt, faster PCI lanes and 16GB DDR4 modules) that makes me want to finally upgrade, as well as the indication that Adobe is finally willing to sort out its obsolescent code in both Lightroom and PS.

Until now, Intel was delaying progress so much, they delayed my will to upgrade as well. Suddenly with AMD fighting again, they discovered they had some better CPUs to put on the market at more reasonable prices. I was on the verge to invest in a 6 or 8 core i7, but I think now I'll wait for the next gen. I may consider a Ryzen 1800x, but in PS and LR it is not as efficient as the 8700K, 7800X or 7820X I am considering.


----------



## Orangutan (Jan 5, 2018)

symmar22 said:


> What I meant by "more performance per dollar " is that Intel prices were artificially inflated by the lack of concurrence. As soon as AMD was back in the race,
> 
> ...
> 
> Since Sandy bridge, we're talking about an average 5% per generation, that is when they were not going backwards (Broadwell). I am still using an Ivy Bridge 3770K, and until now saw no reason to upgrade.



The conventional wisdom (you decide if it's wise or not) is that consumer need for CPU power has hit a plateau due to the fact that adding a GPU will allow FPS gaming at good framerates at HD resolutions. Basically, we've hit the point where the eye can't see much more sharpness, and it's now all about more complex scenery and movement, which is also best handled by a GPU. We continue to see strong performance improvements in GPUs.

Again, the CW is that CPUs are now being fine-tuned for performance-per-watt; this is both for mobile devices running on battery, and also for data centers in which a CPU that's powered-on will be running hard almost constantly.

I'm not an expert on this, so I'd appreciate comments from anyone with more info.


----------



## YuengLinger (Jan 5, 2018)

sulla said:


> Sabaki said:
> 
> 
> > Just put a new PC together on Saturday:
> ...



"Be afraid, be very afraid."

https://www.youtube.com/watch?v=--hMJPUBwMc

Chicken Little syndrome?

So breathless!


----------



## Mt Spokane Photography (Jan 5, 2018)

So more and more companies are admitting to the issue, all Apple Devices, Intel Devices, AMD Devices, many ARM devices, qualcomm and Samsung aren't mentioned in what I've seen, but you can bet on the issue with them as well.

The title of this thread is obviously misleading.

BTW, most modern cars use ARM devices, and several of them, Cameras, printers, TV sets, DVD players, NAS, the list is endless. 

Cars are going to be a obvious hacker target, updating firmware in them is difficult, you must take it to a dealer. Most will never be updated.


----------



## Orangutan (Jan 5, 2018)

Mt Spokane Photography said:


> Cars are going to be a obvious hacker target, updating firmware in them is difficult



No more than before: bear in mind that this is an "escalation of privilege" attack, not a remote exploit. In order to gain advantage you must already be running lower-privilege code on the machine. Car engine controls are not designed to run "userspace" programs at all.

On the other hand, some new car entertainment systems allow installation of apps, so they would be a target. While they wouldn't take over your car's controls, they might allow stepping-stone attacks on your wirelessly-connected devices.


----------



## Luds34 (Jan 5, 2018)

Orangutan said:


> Mt Spokane Photography said:
> 
> 
> > Cars are going to be a obvious hacker target, updating firmware in them is difficult
> ...



Agreed, an attacker needs to get their software/exploit running on the system. In general embedded devices are no more vulnerable today then they were a week ago before this made news as they are typically locked down and don't allow the user to access the underlying system/OS. AND keep in mind this is READ only access, great if you're stealing passwords, secrets, but not so good if you're trying to manipulate, take over the system.


----------



## Orangutan (Jan 5, 2018)

Luds34 said:


> Orangutan said:
> 
> 
> > Mt Spokane Photography said:
> ...


Reading privileged info (passwords, keys) can enable other attacks that would give full access.


----------



## Mt Spokane Photography (Jan 5, 2018)

Cars are already targets of hacking, hackers can be used to gain access. Just what data may be accessable in the memory in a car is really unknown, but a army of bots could likely shut down a fleet of 100,000 cars if they are able to install malware that accesses security information. In fact, its already been done.

It just adds to the number of security loopholes already existing.

https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/


----------



## LDS (Jan 5, 2018)

Some information about the patches:

Apple: patches for "Meltdown" have been rolled out in its December updates (https://support.apple.com/en-us/HT208394) macOS 10.13.2. Patches for "Spectre" will follow.

Windows: Microsoft is being releasing patches in these days, including Windows 7. They should appear in Windows update, inside the monthly rollup. There's a caveat: any installed antivirus needs to be updated, and it has to signal Windows it knows about the changes through a registry key (https://support.microsoft.com/en-us/help/4056897), because otherwise the changes could trigger AV actions.

Linux: patches for the various distros are being released.

It will be interesting to know how what impact - if any - they will have on our workflows. I'm going to test ASAP.


----------



## YuengLinger (Jan 6, 2018)

Windows patch has conflicts with Asus AI Suite.


----------



## deleteme (Jan 6, 2018)

From what I have read, Intel, ARM and AMD are all vulnerable.

Buying an AMD powered machine won't help you apparently.
However as we are equally vulnerable there is not much you can do but wait for what patches they can offer.
I am sure the problem will be addressed in future chip designs where the issue of security will be at the top of the list.


----------



## Orangutan (Jan 6, 2018)

Normalnorm said:


> Buying an AMD powered machine won't help you apparently.



Not exactly: https://www.amd.com/en/corporate/speculative-execution

Intel has been throwing up FUD to keep their sales and stock price from tanking. The current understanding is that Intel is the most vulnerable, and the hardest to fix. But this is developing news, so who knows what may be accepted truth this time next week.


----------



## sulla (Jan 6, 2018)

Orangutan said:


> The conventional wisdom (you decide if it's wise or not) is that consumer need for CPU power has hit a plateau.


When I'm looking at Lightroom responsiveness and load times, computational power is miles away from what we want.
(If we assume, for a moment, that what we *want *is what we *need*).


----------



## Orangutan (Jan 6, 2018)

sulla said:


> Orangutan said:
> 
> 
> > The conventional wisdom (you decide if it's wise or not) is that consumer need for CPU power has hit a plateau.
> ...



Sure, but Lightroom doesn't drive CPU development nearly as much as FPS gaming, mobile devices and data centers. Also, LR is an excellent candidate for GPU processing, rather than CPU. 

The fact that I want a faster CPU for LR doesn't mean that applies to the entire CPU market.


----------



## Talys (Jan 6, 2018)

I wish some people would become more informed before writing things as fact.

First, AMD chips ARE impacted. AMD says so:



> Variant One - Bounds Check Bypass - Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.
> 
> Variant Two - Branch Target Injection - Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
> 
> ...



First, it's important to get this right because if you own an AMD processor based device, it is just as important to update your as if you have an Intel processor based machine. If you have a Windows PC, you must install KB4056892 in the January 4th update in order to be protected. If you have an Azure VM, you must complete the (mandatory) maintenance to be protected (if you do it yourself, they'll force you to do it in about a week). It doesn't matter if you have an AMD or Intel processor in either instance.

Second, it's worth noting that Intel also claims that the impact is negligible, citing that impact on real world computing is much less than on certain adversely impacted benchmarks. Everyone else also says that there are no real-world examples of this type of code impacting customers. And, "near-zero risk" is not worth much; it needs to be patched to be zero risk, because otherwise, someone will find a way to take advantage of it.

Third, this also impacts ARM processors. If you own a smartphone, there is a pretty good chance that it has an ARM architecture processor in it.

Please try to understand what Spectre/Meltdown is. Every modern CPU uses a technique called speculative execution. By analyzing code that's being executed, the processor guesses what might be requested next, and computes that in parallel. If it's correct, the speculative execution branch is accepted and the processor speed is dramatically boosted. If not, that code execution branch is dropped. Unlike the virtual processor that applications use, speculative execution occurs in the CPU's kernel mode, where it can access any memory.

Spectre and Meltdown use ingenious ways of fooling the processor into executing code in the speculative branch that can give it access to protected memory that it shouldn't, thus bypassing protections that are normally there. The mechanism is ingenious. However, it is non-trivial to weaponize this, which is why the risk is minimal. However, a tiny risk doesn't mitigate the fact that a potential payload could compromise everything that you want to keep secret and provide access to important things like banking.

Finally: for people who just bought an 8th generation Intel CPU, you should probably stop worrying about performance. Processors have gotten ridiculously fast and far outstrip the ability of most applications to take advantage of, certainly as it relates to Lightroom/Photoshop. They barely even increase in speed between 4, 6, and 8 processors. 

Now, I will certainly be happy to accept that I am wrong about performance if benchmarks show that PS/LR run significantly slower after KB4056892. However, I have desktop 6th, 7th, and 8th generation Intel processor PCs that I use every day. It happens that I still do most of my work on my 6th-gen PC, simply because it's set up with a ton of software development tools the way I like. PS/LR performance is a bit faster on the 8th gen i7/8700k -- however, I'd say that things that are slow still feel slow, and things that are fast are still instant. Probably, the most noticeable speed difference between 8th gen Intel PCs and 6th has nothing to do with the processor itself, but rather m.2 SSD support. After applying KB4056892, nothing has changed for PS/LR that I can tell anecdotally. Nor, AutoCAD or Visual Studio, or in a few games that I play. 

I'm not saying that there isn't a performance hit; just that I can't feel it, probably because the PC processor is way faster than I need it to be.


----------



## Mt Spokane Photography (Jan 6, 2018)

I ran the benchmark test on my system again today. It is slightly slower in the cpu portion of the test. The memory, graphics and disk portions did not change. Overall, the total score went from ~2150 to ~2100 or about a 2% drop.

If this represents the speed loss due to the fix, its not worth noticing for a home user, but for highly loaded servers at places like Amazon, it may mean adding a bunch more servers. Amazon is said to have over 454,000 servers, so 2% is 9,080 more servers, when you add in the building space, power, and maintenance, its a big chunk of money.


----------



## Talys (Jan 6, 2018)

Mt Spokane Photography said:


> I ran the benchmark test on my system again today. It is slightly slower in the cpu portion of the test. The memory, graphics and disk portions did not change. Overall, the total score went from ~2150 to ~2100 or about a 2% drop.
> 
> If this represents the speed loss due to the fix, its not worth noticing for a home user, but for highly loaded servers at places like Amazon, it may mean adding a bunch more servers. Amazon is said to have over 454,000 servers, so 2% is 9,080 more servers, when you add in the building space, power, and maintenance, its a big chunk of money.



I believe those sorts of numbers represent Amazon E3, just like Microsoft's Azure, rather than the number of servers they need to sell you stuff. Most of that is resold, though they run their own services on those servers too. 

For people who have E3/Azure VMs, it's highly unlikely that there will be a cost difference, because the VMs are costed in tiers, and nobody will want to tier up for a tiny percentage handicap at peak. For example, you'd go from $500 a server to $800 a server. And that bump probably wouldn't help anyways, because you're getting more cores (when you really want slightly faster cores) and more memory (which you don't need).

For our own Azure deployments, where we keep metrics of... everything... pre- and post-patch, the difference is measurably zero for our company. That's because you need to purchase enough processing power so that CPU is not a constraint during peak usage, which should be rare. In other words, if you were coming close to 2% mattering, you really had to redesign something (either hardware or software) anyways.

Keep in mind that every year Amazon/Microsoft give us faster VMs for the same price or less. We've been getting 20%+ speed bumps with each generation, plus other optimizations such as better database software (like SQL adding BPE), so generally, most of us are way, way ahead compared to a few years ago. In 2017, Microsoft gave everyone two big price drops, and the second came at the same time as a big performance boost (new generation of CPU plus more RAM).

For a company like Amazon, of course, it's possible that they more widely distribute the workload / add more servers to some clusters. I'd be surprised though, and I'd be shocked if it were anything remotely close to 2%. More likely, they had way more capacity allocated already anyways, to account for factors like growth.


----------



## YuengLinger (Jan 6, 2018)

The apocalyptic tone of the OP and a few others remind me of all the posts we get here about Cannon ready to go out of business. Does everything have to be the end of the world? Do we need the same silly rhetoric that we hear on Nightly News to discuss technical issues? I guess that's how we get attention.


----------



## Jack Douglas (Jan 6, 2018)

Humans tend to fear the unknown or what they don't fully understand, it's pretty natural. And they seem to like doom and gloom news. However, we on CR should be above that. 

Jack


----------



## Orangutan (Jan 6, 2018)

YuengLinger said:


> The apocalyptic tone of the OP and a few others


To be fair, the initial benchmarks on Linux showed 30%performance hit; at the time, that was all the legitimate information available. If Intel, AMD, and others have cut that down to 2% then I'm happy about it. I'm sure we'll see more benchmarks on specific tasks in coming weeks.


----------



## Talys (Jan 6, 2018)

Orangutan said:


> To be fair, the initial benchmarks on Linux showed 30%performance hit; at the time, that was all the legitimate information available. If Intel, AMD, and others have cut that down to 2% then I'm happy about it. I'm sure we'll see more benchmarks on specific tasks in coming weeks.



I am guessing that initial benchmarks plummeting on Linux was just because speculative execution was being disabled (after all, that's a pretty safe way to guarantee that neither Meltdown nor Spectre will do anything ). 

To play the cynic, though, I suspect Intel and AMD are better at improving benchmark metrics than they are at improving processors


----------



## Mt Spokane Photography (Jan 7, 2018)

I'm not absolutely sure that my 1st benchmark was done before the update. Both were done on January 3. My benchmark was done at 2:07 pm, there is no exact time given for the update, but my system checked for updates today at 2:27 PM, so if that happens at that time every day, My benchmark just beat out the update by 20 minutes.


----------



## LDS (Jan 7, 2018)

YuengLinger said:


> The apocalyptic tone of the OP and a few others remind me of all the posts we get here about Cannon ready to go out of business. Does everything have to be the end of the world? Do we need the same silly rhetoric that we hear on Nightly News to discuss technical issues? I guess that's how we get attention.



Probably you don't follow IT security (that's my job) and missed all the OS developers scrambling to release patches and system administrators installing them, up to Amazon and Azure accepting downtime, to roll them up as soon as possible. These are big issues, even if you can't understand them, this is not the 5D5 having half a stop of DR less than the A7IV, or not having 12K, but feel free to downplay them.

I reported these news because people here have systems to process and store their images, and many also have websites and other applications - accounting, CRM, backups, often with sensitive data - running on local or cloud systems. Nobody said it's the end of the world, but a situation that needs attention. And which could have impact on performance. You can keep your head in the sand, or look at what it means for you.


----------



## kaihp (Jan 7, 2018)

Mt Spokane Photography said:


> I'm not absolutely sure that my 1st benchmark was done before the update. Both were done on January 3. My benchmark was done at 2:07 pm, there is no exact time given for the update, but my system checked for updates today at 2:27 PM, so if that happens at that time every day, My benchmark just beat out the update by 20 minutes.



From my understanding of the Meltdown bug, the fix is only applied during switches between OS and user-programs. If that is true, then you'll see a small impact when running a CPU benchmark program, since it doesn't call the OS all the time.

IO-intensive systems (e.g. webservers and NAS boxes) will see a much bigger impact.

AWS (Amazon Web Services) have already applied the fix before the release, and some of their customers have already reported slowdowns.


----------



## YuengLinger (Jan 7, 2018)

LDS said:


> YuengLinger said:
> 
> 
> > The apocalyptic tone of the OP and a few others remind me of all the posts we get here about Cannon ready to go out of business. Does everything have to be the end of the world? Do we need the same silly rhetoric that we hear on Nightly News to discuss technical issues? I guess that's how we get attention.
> ...



Again, I said it's the tone of the wailing and moaning. A large part of my career was data protection. We'd get excited about a challenge and look forward to OT. But we didn't work for the big corporations that had to work together to create patches--we didn't write the code. That was in other hands.

I know that corporations, individually and in concert, have, throughout history, done some pretty terrible things. Ford comes to mind with their explosive Pintos.

But I'm not constantly angry at them for their success, gleeful when they screw up, and certain they are trying to destroy my life.

The underlying tone in a few of the posts in this thread is resentment, hostility, and a sense of, "I told you so. The end is here. Those villains are at it again and they are exposed." It's envy, contempt for successful business.

And that tone at times permeates discussions here about Canon/Nikon, about Adobe's subscription model, and others. A venomous, sniping hostility towards companies that make complex products which interact with other complex products for a multitude of needs and expectations, and not only must profit to make more products, but deserve to profit because they sell goods and services people enjoy.

Monopoly? Terrible for customers, agreed, and they generally come about because corporations become powerful and savvy enough to manipulate governments into creating regulatory systems that favor a few big players. Sometimes, though, it's also, to an extent, an example of natural selection applied to economics. That's another discussion.

But, really, all the anger and hysteria about _potential_ performance hits was theatrical and obviously way beyond reality, and a seasoned IT professional would have seen that right away.

Two percent? That two percent was apparently due to shortcuts that were not seen as problematic during engineering and testing, but with better analysis turned out to be a concern. Will the sulking gripers believe it's only 2% (or whatever number Intel and others settle on)? No, they will claim that the malevolent and incompetent corporations that built and maitain our Information Age are messing with our minds once again.

And by the way, OP, your topic title is a slam against Intel specifically, but it turns out AMD is also vulnerable. That's clearly an example of an error that might be fueled by...Who knows? At the very least it is a "fanboy" approach to a serious decision making process.


----------



## Orangutan (Jan 7, 2018)

YuengLinger said:


> And by the way, OP, your topic title is a slam against Intel specifically, but it turns out AMD is also vulnerable. That's clearly an example of an error that might be fueled by...Who knows? At the very least it is a "fanboy" approach to a serious decision making process.



At the time he posted it, all the news said it was Intel-only. It did turn out that AMD had less-extensive vulnerability, but that was not known at the time of the OP. I see the OP as reasonable, given the information available at the time.


----------



## YuengLinger (Jan 7, 2018)

Orangutan said:


> YuengLinger said:
> 
> 
> > And by the way, OP, your topic title is a slam against Intel specifically, but it turns out AMD is also vulnerable. That's clearly an example of an error that might be fueled by...Who knows? At the very least it is a "fanboy" approach to a serious decision making process.
> ...



We have a difference of opinion. Reporting an issue is reasonable. Urging, based on very little info arising out of a developing story, readers to "buy AMD" because of a big Intel bug, was the fanboy approach.


----------



## AaronT (Jan 7, 2018)

As it happens I had started to upgrade from Win 7 Home to Win 7 Pro about a week before Meltdown/Spectre was announced. Upgrading to Pro because it will use all 18 Gigs of memory, Home only recognizes 16 Gigs. Also it was time for a fresh install because I have gone through a lot of programs (install/uninstall) over the last 8 years. A lot of crap builds up over time. I'm running a dual boot setup until I get all my programs loaded on Pro. At the moment Pro is pretty well bare. Just Kapersky AV loaded. I installed a benchmark program and did a before and after benchmark before the January Quality rollup update. I was offline (nothing checking for updates in the background) and Kapersky was paused. Very repeatable results. There was a negligible difference between them. On the top is the before results, below the after. BTW, I have an I7 980X Intel processor, GTX 970 GPU and Samsung 500 EVO boot disk.


----------



## Orangutan (Jan 7, 2018)

YuengLinger said:


> Orangutan said:
> 
> 
> > YuengLinger said:
> ...



Er...no. Here's the "urging" from the headline:


> wait - or buy AMD (big Intel bug found)



Notice that "wait" comes first. At the time this was posted, the underlying facts were 100% accurate, and the advice was entirely reasonable: wait....or buy AMD. Go back and read the story from The Register, and note that, although the "story" was developing, the problem had been worked on by Linux kernel devs for weeks or months. The story was new, but the facts were not. At the time of posting, there was 0% reason to believe this was anything other than an Intel-only bug. 

I'm no EE, but I'm pretty sure a hardware bug in one brand of processor does not, necessarily, implicate other brands. In this case, the existence and exploitability of the bug led to greater scrutiny of AMD, ARM and others, and flaws in their implementations were also found. However, there is nothing inherent to the Intel bug (at least as known at the time) to make any reasonable person think it extended beyond Intel.

100% reasonable headline, 100% reasonable post. 0% fanboy.


----------



## LDS (Jan 7, 2018)

YuengLinger said:


> And by the way, OP, your topic title is a slam against Intel specifically, but it turns out AMD is also vulnerable. That's clearly an example of an error that might be fueled by...Who knows? At the very least it is a "fanboy" approach to a serious decision making process.



I have now only Intel processors. I usually preferred them over AMD - that's how much I am am AMD "fanboy". 

When I posted the original message, only a few "Meltdown" details were made available. That's an Intel (and, as revelead later, some ARM) issue only, so, regarding it, the original statement is still true. Later details about other vulnerabilities surfaced. They are kept secret as much as possible, and those who are aware of them are bound to that secrecy, to avoid malware being able to exploit them before a fix is available.

As I already wrote earlier, when more into became available, the title is no longer valid. Does it invalid everything else?

The performance impacts on different workloads is still being assessed. It will be lower than initial benchmarks and forecasts? The better.

Still, Intel and other sold processors with flaws - if I set a bit in a page telling the CPU it's "supervisor" access only, I expect it to be honored - just as if I set a lens to 1m I expect it to focus there, not 0.8 or 1.2. Here there are people who return lenses if they're not up to their specs, and expect Canon to be flawless, given the price they pay.

Car makers (and not only them) were used to sell defective - and sometimes deadly - products until they were forced to recall them at their own expenses, and pay the damage done. Computers became critical systems - not only for cat photos, so we should expect better from manufacturers.


----------



## PavelR (Jan 7, 2018)

FYI: Fix for Linux already exists and behaves the same way (slower kernel calls) on Intel and also on AMD CPU. Thus using AMD CPU is not the solution to avoid slowing down the system.


----------



## Mt Spokane Photography (Jan 7, 2018)

LDS said:


> YuengLinger said:
> 
> 
> > And by the way, OP, your topic title is a slam against Intel specifically, but it turns out AMD is also vulnerable. That's clearly an example of an error that might be fueled by...Who knows? At the very least it is a "fanboy" approach to a serious decision making process.
> ...



This site is highly ranked by the search engines, and your title is shown all over the internet, so yes, it matters because it will be around the internet for a long time, and non cr readers will see the title and not read thru the many pages of posts to find one small sentence that says ignore the title.


----------



## Orangutan (Jan 7, 2018)

Mt Spokane Photography said:


> This site is highly ranked by the search engines, and your title is shown all over the internet, so yes, it matters because it will be around the internet for a long time, and non cr readers will see the title and not read thru the many pages of posts to find one small sentence that says ignore the title.



1. No one should take definitive computer advice from CR. 

2. The coverage here will be overwhelmed by coverage in larger news media and trade publications

3. The claim of persistence is trivially true for any news/social media site.

4. The post title was legitimate for the time. If it proved to be completely false then it would merit a deletion/edit, but it hasn't. I see nothing wrong with what OP posted in this thread, and I'm completely befuddled by the negative response.


----------



## Mt Spokane Photography (Jan 7, 2018)

Orangutan said:


> I see nothing wrong with what OP posted in this thread, and I'm completely befuddled by the negative response.



;D


----------



## Jack Douglas (Jan 7, 2018)

Mt Spokane Photography said:


> Orangutan said:
> 
> 
> > I see nothing wrong with what OP posted in this thread, and I'm completely befuddled by the negative response.
> ...



Over reaction I think, from different points of view and more like a tempest in a tea pot (not the fact of a bug; that is what it is). The thread gets one thinking and hopefully ultimately informed. 

Jack


----------



## YuengLinger (Jan 7, 2018)

If you are going to buy a new camera wait - or buy Sony (big Canon bug found)

Silly season.

Sigh...


----------



## Mt Spokane Photography (Jan 7, 2018)

YuengLinger said:


> If you are going to buy a new camera wait - or buy Sony (big Canon bug found)
> 
> Silly season.
> 
> Sigh...



Check out reviews on products at Amazon. Look at the lowest rating comments. There will always be a "Don't Buy This" comment from someone who had a issue. Even if there are hundreds of thousands of sales and a handful of bad reviews.


----------



## Valvebounce (Jan 8, 2018)

*Re: If you're going to buy a new PC, wait all processors affected! *

Hi Folks. 
All this tooing and froing about the title and no one thought to edit it? Yes I know I have only changed my reply header and any replies to this post. I believe the OP can change the main title if they desire? 
Thanks to OP for bringing it to my attention. 
Thanks to Mt Spokane for drawing my attention to a very interesting (and somewhat scary) read about hacked cars.  

Cheers, Graham.


----------



## LDS (Jan 8, 2018)

*Re: If you're going to buy a new PC, wait all processors affected! *



Valvebounce said:


> All this tooing and froing about the title and no one thought to edit it? Yes I know I have only changed my reply header and any replies to this post. I believe the OP can change the main title if they desire?



I didn't change the title because it could have looked a new thread, and replies titles wouldn't have changed, I guess.

I guess Intel has more to fear than this thread - AFAIK all the main news about Intel didn't change their article titles later, so that's going to haunt it for a while. Hope people don't trust a title only, but actually read what's written.


----------



## Valvebounce (Jan 8, 2018)

*Re: If you're going to buy a new PC, wait all processors affected! *

Hi LDS. 
Like you I’m not sure the title really makes a great deal of difference now, I’m sure the damage done by your title will pale in to insignificance compared to what the major news media will cause, an unfortunate consequence of an evolving situation. 
I’m sure very few people (if any) would come here first looking for software / hardware security advice. I’m willing to take security advice from this site as I’m already here and feel I have a handle on the trustworthiness of the info available. plus I read the whole thread! 

Cheers, Graham. 



LDS said:


> Valvebounce said:
> 
> 
> > All this tooing and froing about the title and no one thought to edit it? Yes I know I have only changed my reply header and any replies to this post. I believe the OP can change the main title if they desire?
> ...


----------



## midluk (Jan 9, 2018)

PavelR said:


> FYI: Fix for Linux already exists and behaves the same way (slower kernel calls) on Intel and also on AMD CPU. Thus using AMD CPU is not the solution to avoid slowing down the system.


There is not one fix for Linux but currently every distribution has some slightly different workarounds in their kernels. The first fix for Meltdown in the upstream kernel was indeed for all CPUs but has since been disabled again for AMD CPUs.
Then of course there are workarounds for Spectre which also affect AMD, but those are mostly still work in progress and there even more chaos exists between different Linux distributions.

Before anything can be said about performance impact, we should wait a month or two until all (or most) workarounds are in place.


----------



## Luds34 (Jan 9, 2018)

PavelR said:


> FYI: Fix for Linux already exists and behaves the same way (slower kernel calls) on Intel and also on AMD CPU. Thus using AMD CPU is not the solution to avoid slowing down the system.



I don't believe that is true. All the patches we are seeing are for Meltdown (which affects Intel, but not AMD. Sceptre is much more difficult to deal with). The fix/workaround is to segment the kernel memory, which is leading to the performance hit for system calls. I believe the code changes on the Linux kernel are checking the CPU and only applying the segmentation/isolation of the kernel memory on the affected CPUs. In fact, I believe it was an AMD engineer that had "too detailed" of comments in a check-in to the kernel that made this exploit public knowledge.


----------



## ethanz (Jan 9, 2018)

And here I am still on OSX 10.10 not wanting to update but if I want this patch I'm sure Apple would only make it for 10.12 or whatever the newest version is.


----------



## privatebydesign (Jan 9, 2018)

ethanz said:


> And here I am still on OSX 10.10 not wanting to update but if I want this patch I'm sure Apple would only make it for 10.12 or whatever the newest version is.



That’s not true, Apple regularly make security updates for older OS’s.


----------



## Talys (Jan 9, 2018)

Apparently, the Spectre fix in Windows is now turning some AMD machines into toasters, with the only fix to reinstall Windows and not applying the Spectre fix (which makes Windows AMD machines vulnerable to Spectre).

https://www.neowin.net/news/microsofts-spectre-fix-is-apparently-bricking-some-amd-pcs

From Microsoft:


> Microsoft has reports of customers with some AMD devices getting into an unbootable state after installing recent Windows operating system security updates. After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown. To prevent AMD customers from getting into an unbootable state, Microsoft will temporarily pause sending the following Windows operating system updates to devices with impacted AMD processors at this time.



@Luds34 - The Windows fix and the UEFI update to Surface devices (and similar updates to other hardware) mitigates vulnerability to both Spectre and Meltdown. I believe Apple patched one of them prior to general publication, and now has a patch for the other -- but I'm not an Apple guy, so I only skim read security bulletins related to OSX and iOS.


----------



## Luds34 (Jan 10, 2018)

Talys said:


> Apparently, the Spectre fix in Windows is now turning some AMD machines into toasters, with the only fix to reinstall Windows and not applying the Spectre fix (which makes Windows AMD machines vulnerable to Spectre).
> 
> https://www.neowin.net/news/microsofts-spectre-fix-is-apparently-bricking-some-amd-pcs
> 
> ...



Haha, yes I saw that. In fairness though, it appears to be some pretty old AMD chips, like Athlon 64 X2 and such, pre Ryzon, FX, Phenom, etc. With photography equpiment being as expensive as it is, I somehow doubt folks on here are using computer chips from 10+ years ago (amateur or pro) to post process. 

Yes, you are correct there are patches being released for Spectre. I was over simplifying because while Meltdown is very specific and can be worked around and the fixes are rolling out, Spectre is a more general tactic which affects a lot of systems in various manners, many not yet found (aka any patches you are seeing are not fully inclusive for all possible Sceptre vulnerabilities). For example, there is a risk of a Spectre type attack occurring in the javascript engine, where one website could execute malicious javascript and read sensitive data from another browser that is opened at the same time. The defense is to (at least in chrome) turn on a setting that runs each website in it's own process.


----------



## Mt Spokane Photography (Jan 10, 2018)

*Microsoft: No more Windows patches at all if your AV clashes with our Meltdown f*

Now, some Antivirus software which has been making unsupported calls to the Kernel is blocking computers from booting. I'll bet more software that does this will appear.

During testing of the patches for the two attacks, Microsoft discovered some antivirus had been making "unsupported calls into Windows kernel memory" that stop a machine from booting or cause blue screen of death (BSOD) errors after the patch is applied. To avoid this issue, it introduced the new rules.

http://www.zdnet.com/article/microsoft-no-more-windows-patches-at-all-if-your-av-clashes-with-our-meltdown-fix/


----------



## 9VIII (Jan 10, 2018)

At this point I’m basicallly just going to wait for 2020 to shop for a new CPU.
Thankfully I already have some decent systems, but if I only had an older CPU right now I would be mad.

Looks like it’s going to be a while before Spectre can actually be dealt with properly.


----------



## jolyonralph (Jan 10, 2018)

And now even GPUs are affected!

https://www.engadget.com/2018/01/10/nvidia-gpu-meltdown-and-spectre-patches/


----------



## Talys (Jan 10, 2018)

9VIII said:


> At this point I’m basicallly just going to wait for 2020 to shop for a new CPU.
> Thankfully I already have some decent systems, but if I only had an older CPU right now I would be mad.
> 
> Looks like it’s going to be a while before Spectre can actually be dealt with properly.



I really wouldn't worry about it if you wanted to buy a new computer. If there is a difference in Photoshop or Lightroom, it's immeasurable. 

On the other hand, frankly, the practical difference between a 6, 7, and 8th gen desktop i7 and between a new $300 processor and $1,500 are all relatively small for PS/LR, as long as you have plenty of RAM and SSD. 

In Photoshop or Lightroom, I think I actually notice caching to m.2 SSD's more than I notice the faster CPU speed. The problem is that everything that is sluggish in a 3 year old PC is still sluggish in a brand new, 8700K with all the works, either before or after the Spectre/Meltdown fix. So things I wish happened faster (even if it's only a couple of seconds) are still that way, and frankly, I can't tell the difference between 1.9, 2.1 and 2.4 seconds (that would be generations of PCs)... they're all irritatingly slow. 

And... everything else is instant.

IMHO, for PS/LR stuff, if you have a Haswell+ processor, I wouldn't bother upgrading unless you know you'll get a very specific benefit, because even though the processor is certainly faster/has more cores/etc, it isn't going to FEEL any faster. If you play demanding 3D games (or want to mine bitcoin...), you'll get more mileage out of buying a GeForce 1080 than anything.




jolyonralph said:


> And now even GPUs are affected!
> 
> https://www.engadget.com/2018/01/10/nvidia-gpu-meltdown-and-spectre-patches/



Sad, isn't it? But basically, anything that has speculative execution and where arbitrary code can run is probably affected to some extent :'(


----------



## Mikehit (Jan 10, 2018)

So what does this mean for secure internet banking and other 'private' operations 

If, for example, you do a virus sweep then open only your chosen browser (IE, Google, Mozilla...) then go onto your banking website will you be secure?


----------

