Samsung's 3-D V-NAND was a revolutionary development. Traditional 2-D NAND started to become unreliable around 20nm, and the addition of TLC, not to mention QLC, only made that much worse. Samsung's 3-D V-NAND increased the architecture size to a roomier 30nm to 40nm while expanding into 3-D. Samsung used this 3-D V-NAND starting with the 850 Pro and 850 EVO consumer drives and SM863 and PM863 enterprise drives.
The 850 Pro is a very nice SSD and works very well for laptops, but the SM863 and PM863 added power loss protection in the form of tantalum capacitors which allowed data still in transit to finish the journey. This means that SSDs used as desktop system drives without a UPS won't brick if the power suddenly disappears.
The SM863 bests the PM863 because the former is MLC while the latter is TLC, with every "LC" generation having a tenfold reduction in reliability and endurance. The 850 EVO is also TLC.
And both the SM863 and PM863 use the enterprise version of Samsung's Magician, which is a CLI versus the telemetry-gathering Magician for consumer SSDs. Only those who have secure-erased SSDs can appreciate the difference. With Samsung's consumer Magician, Intel SSD Toolbox, hdparm in Linux, and other consumer utilities, the SSD has to be removed after the process starts to unfreeze -- in the logical sense, not the temperature one -- while DC Magician just works.
SSDs are becoming faster, though in PCIe form factors, but the SM863 will be remembered as one of the best 2.5" SSDs ever made, along with Intel's DC S3700 with specially chosen HET NAND and Intel's 730 with factory overclocking and NAND almost as good as the DC S3700, with both Intel products also having power loss protection.
Cisco Talos initially recommended that reinstallation of Windows or returning to a time before the infection via backups was the only solution. Now it has doubled down on that advice, saying that it can "confirm that at least 20 victim machines were served specialized secondary payloads." And the gathered "information would be everything an attacker would need to launch a later stage payload that the attacker could verify to be undetectable and stable on a given system." Both Kaspersky and Cisco Talos believe that the attackers are Group 72, probably from China.
So contrary to the speculations of Piriform which stated that it stopped the infections before they started, it appears that the malware was actually highly successful. The only silver lining is that it was initially targeting high-value computers and not the average surfer.
CCleaner 5.33 was signed using a valid digital signature issued to Piriform. Now Avast has revealed that 32- and 64-bit payloads were included, with the former using a patched TSMSISrv.dll (originally VirtCDRDrv32.dll created by Corel), and the latter using a patched EFACli64.dll (originally part of Symantec Extended File Attributes used in its Internet Security product).
Your author is reinstalling Windows on all computers for which he is responsible, with Piriform products not being reinstalled, and recommends that everyone else do the same, unless they have suitable backups and use them promptly.
If reinstalling Windows is beyond you, you must do three things immediately:
1) Uninstall all Piriform products -- CCleaner, Defraggler, Recuva, and Speccy -- via Control Panel -> Uninstall a program.
2) Go to C:/Windows/Prefetch (you'll need to use an admin login) and delete all entries that start with "ccleaner" and also ones that have the format "ccsetupxxx" (there will be one for each version of CCleaner that was ever installed on your PC, e.g. "ccsetup533"). Then reboot.
3) Download, install, and run a full system scan with Malwarebytes (the free version is okay).
One of the most popular freeware Windows products, CCleaner, was compromised by unknown parties. Supposedly only the 32-bit (5.33.6162) and Cloud (1.07.3191) versions were affected, but given that Piriform, now owned by Avast, was informed of the intrusion by two outside parties, users should be wary of all other versions. The only trustworthy cleaner is the one already in Windows, Disk Cleanup: use the Start menu to search for Disk Cleanup and then run it. This would be an excellent time to run full scans with Malwarebytes and then your regular antivirus.
Cisco Talos stated: "Uninstalling the tool will not remove the malware. To remove the malware you should restore from a previous backup that is known to be clean or try a virus removal tool." According to Piriform, "the code executed ... was heavily obfuscated to make its analysis harder (encrypted strings, indirect API calls, etc.)," so it's possible that the malware is actually worse than we know. And contrary to Piriform's assertions, updating to the latest version of CCleaner does not completely remove the infection, specifically with respect to the registry.
For awhile, Microsoft complained when the IP address used to access Hotmail / Live email was different than the one previously used, even though users with DSL obtain a different one with every router reboot. Obviously someone at Microsoft had not thought the problem through.
Now Microsoft is complaining when I try to access Hotmail / Live email via Firefox on Linux, even though there are no complaints when I access it using Firefox on Windows, with the same hardware being used for both (this PC has a drive swap capability).
And to double the fun, the email Microsoft sends when it is suspicious, titled "Microsoft account unusual sign-in activity," is sent to the spam folder.
There are four types of NAND flash, with an erratic naming convention: SLC (single-level cell), MLC (multi-level cell), TLC (triple-level cell), and QLC (quad-level cell). SLC NAND is used for cache in SSDs and HDDs, but DRAM is more common. In terms of the number of bits of data each scheme's cell can handle, SLC, MLC, TLC, and QLC accommodate 1, 2, 3, and 4, respectively. Software is required to do this, but any variation in the voltages cells can accept plays havoc.
The industry has mostly switched from 2-D to 3-D NAND, though SLC will probably never be made in 3-D. Each "LC" generation is worse with respect to endurance and performance -- MLC is ten times worse than SLC and QLC is one thousand times worse than SLC -- but the yield is greater from the silicon, i.e. profits are higher. TLC introduced a startling drop in write speed as compared to MLC, with QLC being even worse. This is true for both SSDs and USB flash drives.
Some users might be tempted to eschew bargain-basement TLC and QLC SSDs and return to HDDs, but knowledgeable buyers will buy from vendors who supply MLC NAND flash.
Samsung revealed that it is out-of-touch with the SSD industry, but in a good way, asserting in a press release: "Samsung expects that the industry will now focus more on the high performance and reliability of memory storage, rather than immerse itself in a chip scaling race."
Samsung offers 3-D NAND flash in both MLC and TLC, but all of its competitors are concentrating on TLC, with most SSDs only being released with TLC in a race to the bottom. Samsung's press release demonstrated that the company intends to be the leader in the high-end market for both consumer and enterprise SSDs.
Brad Smith, president and chief legal officer of Microsoft, wailed regarding WannaCrypt ransomware which was negligently lost by the NSA, with its former name being EternalBlue:
"Second, this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support."
In truth, many Windows 7 and 8.1 customers would have been fully patched if Microsoft had not tried to shove Windows 10 down everyone's throat by using tactics many considered to be akin to malware. Many users changed their Windows Update setting to "Never check for updates" to avoid being moved to Windows 10.
Microsoft doubled-down on user-hostile interfaces with its elimination of security bulletins, which many users depended upon to understand if an update should be accepted, not to mention combining many unrelated updates into one bundle, forcing users to either accept or reject everything.
By the way, Linux isn't affected by WannaCrypt.
Intel confirmed (here and here) that using a separate NIC card instead of the on-board NIC will prevent AMT from running, as only the NIC built into the chipset communicates with the ME and AMT. And it does not matter which chipset vendor -- Intel, Realtek, etc. -- or bus type -- PCI or PCIe -- the card employs. This solution won't work for everyone, but it's one way to prevent attacks.
I previously wondered just how vulnerable Intel's vPro, ME, and AMT were, but I had no idea. AMT accepts a zero-length password hash field, something that should have caught by any Intel developer. Access is possible as long as the PC has power and Ethernet connectivity.
The best resource I have seen on the subject is from SSH Communications Security with links to OEMs, though I strongly suggest you avoid the link for Intel drivers from a non-Intel source. Intel's official announcement and its Detection Guide are worth perusing.
Intel admitted that the vulnerability is not limited to Q-chipsets, with the list of affected Intel desktop boards being:
- Intel Desktop Board DB65AL
- Intel Desktop Board DB75EN
- Intel Desktop Board DB85FL
- Intel Desktop Board DQ57TM
- Intel Desktop Board DQ57TML
- Intel Desktop Board DQ67EP
- Intel Desktop Board DQ67OW
- Intel Desktop Board DQ67SW
- Intel Desktop Board DQ77CP
- Intel Desktop Board DQ77KB
- Intel Desktop Board DQ77MK
- Intel Desktop Board DQ87PG
NUCs and at least one Compute Stick are affected:
- Intel NUC Board D53427RKE
- Intel NUC Board NUC5i5MYBE
- Intel NUC Kit DC53427HYE
- Intel NUC Kit NUC5i5MYHE
- Intel Compute Stick STK2mv64CC
Motherboards from other vendors with Q or B chipsets are vulnerable and firmware should be obtained from them. Laptops from HP and Lenovo may or may not be vulnerable, but at the time I wrote this, Dell still had no clue.
One moral of the story is, do not buy Intel processors with vPro unless you are buying for corporate use and intend to use AMT. Verify your processor's specifications at Intel's Ark.
I retrieved the spare 2.5" drive caddy I had purchased for my HP ProBook laptop -- it cost me almost $30 including shipping from HP around three years ago -- because I wanted to research device drivers without disturbing the current operating system. I was planning on removing the current SSD and replacing it with a spare 2.5" hard drive I keep for laptop repairs. However, when I tried to remove the caddy from its plastic bag, I knew there was a problem because it stuck to the inside of the bag.
After I got it out, I saw that most of the edges of the black plastic were sticky, as if they had been converted to adhesive. As can be seen on the enclosed photo -- the sticky stuff mostly appears darker and/or shiny, with the apparent writing in the middle being adhesive which transferred via the pull-tab -- the caddy consists of an aluminum frame with flexible plastic covering the top and bottom of the drive. Over the last year or so, the edges of the plastic had changed.
After I disassembled the caddy regularly kept in the laptop, I saw that the plastic was sticky on a few edges, though not nearly as bad as the other one. Some of the sticky stuff had transferred to the exterior of the SSD and the section of the laptop under the caddy. I brought out my trusty bottle of Goo-Gone and proceeded to remove the sticky mess on the laptop and SSD. I realized that the plastic would only become worse with time, so I peeled it off both frames, necessitating more severe cleaning, this time of the adhesive used to mate the plastic and frame.
If I had let it go much longer, the SSD and/or laptop might have been permanently damaged.
The frame is usable as is because the drive screws into it and then the frame screws into the laptop. The only thing I'll miss is the pull-tab which made it easier to insert and remove the caddy.
I'm not a chemist, so I don't know how difficult it is to make flexible plastic, but I have German headphones which are well over 20 years old with non-sticky earpieces. All of my computers and parts are stored in a cool basement, so temperature was not a factor here.
HP saved a few cents with its low-bidder, Chinese plastic. The legacy of Carly Fiorina lives on.
A new driver with a status of "recommended" appeared in Microsoft Update for Windows 7/8/8.1 PCs, "INTEL – System – 8/19/2016 12:00:00 AM – 10.1.2.80," but the associated webpage explains nothing. The Microsoft Update Catalog entry suggests that the updates are USB related.
In fact, the updates are INF (chipset) packages v.10. And they break older PCs.
After Intel left the motherboard business, it tried to put the driver situation to bed. But then Windows 10 appeared, with users understandably miffed at Intel's washing its hands of the whole affair.
Chipset drivers were released by Intel that could not be used with older chipsets -- 8-series and older -- with the line being between v.9 and v.10. Other Intel drivers have a similar story.
Now Microsoft Update has triggered a mass update for reasons unknown, sending the Intel chipset drivers intended for newer systems to older ones.
This is reminiscent of Microsoft's previous venture into Intel drivers, where Microsoft released a graphics driver, 184.108.40.20659, ostensibly for Sandy Bridge and Ivy Bridge processors for Windows 10. There are plenty of examples where Windows 10 causes problems with Sandy Bridge (here are examples for Dell, Sony, Intel, Intel, Intel, and Intel).
Searching on microsoft.com revealed nothing about this driver. Softpedia reported that 220.127.116.1159 is intended only for Ivy Bridge processors which would be consistent with what Intel support has always stated for processors and graphics thereof, that drivers for Sandy Bridge will not be forthcoming. And if this driver really did eliminate the problems, why didn't Microsoft release it before its July 29 deadline of applying for the free upgrade?
I sent a query to Intel Media Relations which responded with an exact quote from engineering: "Intel did not release this driver. Intel issued a small update to the existing driver for Win7/8/8.1, but did not issue a driver for Windows 10."
So it was Microsoft that edited an existing 7/8/8.1 driver and gave it a version of 18.104.22.16859.
Microsoft Update can no longer be trusted for Intel drivers. Go to the Intel Downloads website and get them yourself. Only install Management Engine drivers if you are using Active Management Technology in an enterprise environment. All other vendor drivers should be obtained from the official website. Hide all spurious drivers appearing in Microsoft Update.
And start learning Linux.