Samsung's 3-D V-NAND was a revolutionary development. Traditional 2-D NAND started to become unreliable below 20nm, and the addition of TLC, not to mention QLC, only made that much worse. Samsung's 3-D V-NAND increased the architecture size to a roomier 30nm to 40nm while expanding into 3-D. Samsung used this 3-D V-NAND starting with the 850 Pro and 850 EVO consumer drives and SM863 and PM863 enterprise drives, with all of these drives being fast enough to saturate SATA III.
The 850 Pro is a very nice SSD and works very well for laptops, but the SM863 and PM863 added power loss protection in the form of tantalum capacitors which allowed data still in transit to finish the journey. This means that SSDs used as desktop system drives without a UPS won't brick if the power suddenly disappears.
The SM863 bests the PM863 because the former is MLC while the latter is TLC, with every "LC" generation having a tenfold reduction in reliability and endurance. The 850 EVO is also TLC.
And both the SM863 and PM863 use the enterprise version of Samsung's Magician, which is a CLI versus the telemetry-gathering Magician for consumer SSDs. Only those who have secure-erased SSDs can appreciate the difference. With Samsung's consumer Magician, Intel SSD Toolbox, hdparm in Linux, and other consumer utilities, the SSD has to be removed after the process starts to unfreeze -- in the logical sense, not the temperature one -- while DC Magician just works.
SSDs are becoming faster, though in PCIe form factors, but the SM863 will be remembered as one of the best 2.5" SSDs ever made, along with Intel's DC S3700 with specially chosen HET NAND and Intel's 730 with factory overclocking and NAND almost as good as the DC S3700, with both Intel products also having power loss protection.
There are four types of NAND flash, with an erratic naming convention: SLC (single-level cell), MLC (multi-level cell), TLC (triple-level cell), and QLC (quad-level cell). SLC NAND is used for cache in SSDs and HDDs, but DRAM is more common. In terms of the number of bits of data each scheme's cell can handle, SLC, MLC, TLC, and QLC accommodate 1, 2, 3, and 4, respectively. Software is required to do this, but any variation in the voltages cells can accept plays havoc.
The industry has mostly switched from 2-D to 3-D NAND, though SLC will probably never be made in 3-D. Each "LC" generation is worse with respect to endurance and performance -- MLC is ten times worse than SLC and QLC is one thousand times worse than SLC -- but the yield is greater from the silicon, i.e. profits are higher. TLC introduced a startling drop in write speed as compared to MLC, with QLC being even worse. This is true for both SSDs and USB flash drives.
Some users might be tempted to eschew bargain-basement TLC and QLC SSDs and return to HDDs, but knowledgeable buyers will buy from vendors who supply MLC NAND flash.
Samsung revealed that it is out-of-touch with the SSD industry, but in a good way, asserting in a press release: "Samsung expects that the industry will now focus more on the high performance and reliability of memory storage, rather than immerse itself in a chip scaling race."
Samsung offers 3-D NAND flash in both MLC and TLC, but all of its competitors are concentrating on TLC, with most SSDs only being released with TLC in a race to the bottom. Samsung's press release demonstrated that the company intends to be the leader in the high-end market for both consumer and enterprise SSDs.
Brad Smith, president and chief legal officer of Microsoft, wailed regarding WannaCrypt ransomware which was negligently lost by the NSA, with its former name being EternalBlue:
"Second, this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support."
In truth, many Windows 7 and 8.1 customers would have been fully patched if Microsoft had not tried to shove Windows 10 down everyone's throat by using tactics many considered to be akin to malware. Many users changed their Windows Update setting to "Never check for updates" to avoid being moved to Windows 10.
Microsoft doubled-down on user-hostile interfaces with its elimination of security bulletins, which many users depended upon to understand if an update should be accepted, not to mention combining many unrelated updates into one bundle, forcing users to either accept or reject everything.
By the way, Linux isn't affected by WannaCrypt.
Intel confirmed (here and here) that using a separate NIC card instead of the on-board NIC will prevent AMT from running, as only the NIC built into the chipset communicates with the ME and AMT. And it does not matter which chipset vendor -- Intel, Realtek, etc. -- or bus type -- PCI or PCIe -- the card employs. This solution won't work for laptops, but it's one way to prevent attacks.
And don't keep your modem / router powered-on when you are away from your computer(s), as ME runs whenever it is connected to a power source -- for a laptop, it runs as long as the battery has power -- and is connected to the Internet.
I previously wondered just how vulnerable Intel's vPro, ME, and AMT were, but I had no idea. AMT accepts a zero-length password hash field, something that should have caught by any Intel developer. Access is possible as long as the PC has power and Ethernet connectivity.
The best resource I have seen on the subject is from SSH Communications Security with links to OEMs, though I strongly suggest you avoid the link for Intel drivers from a non-Intel source. Intel's official announcement and its Detection Guide are worth perusing.
Intel admitted that the vulnerability is not limited to Q-chipsets, with the list of affected Intel desktop boards being:
- Intel Desktop Board DB65AL
- Intel Desktop Board DB75EN
- Intel Desktop Board DB85FL
- Intel Desktop Board DQ57TM
- Intel Desktop Board DQ57TML
- Intel Desktop Board DQ67EP
- Intel Desktop Board DQ67OW
- Intel Desktop Board DQ67SW
- Intel Desktop Board DQ77CP
- Intel Desktop Board DQ77KB
- Intel Desktop Board DQ77MK
- Intel Desktop Board DQ87PG
NUCs and at least one Compute Stick are affected:
- Intel NUC Board D53427RKE
- Intel NUC Board NUC5i5MYBE
- Intel NUC Kit DC53427HYE
- Intel NUC Kit NUC5i5MYHE
- Intel Compute Stick STK2mv64CC
Motherboards from other vendors with Q or B chipsets are vulnerable and firmware should be obtained from them. Laptops from HP and Lenovo may or may not be vulnerable, but at the time I wrote this, Dell still had no clue.
One moral of the story is, do not buy Intel processors with vPro unless you are buying for corporate use and intend to use AMT. Verify your processor's specifications at Intel's Ark.
I retrieved the spare 2.5" drive caddy I had purchased for my HP ProBook laptop -- it cost me almost $30 including shipping from HP around three years ago -- because I wanted to research device drivers without disturbing the current operating system. I was planning on removing the current SSD and replacing it with a spare 2.5" hard drive I keep for laptop repairs. However, when I tried to remove the caddy from its plastic bag, I knew there was a problem because it stuck to the inside of the bag.
After I got it out, I saw that most of the edges of the black plastic were sticky, as if they had been converted to adhesive. As can be seen on the enclosed photo -- the sticky stuff mostly appears darker and/or shiny, with the apparent writing in the middle being adhesive which transferred via the pull-tab -- the caddy consists of an aluminum frame with flexible plastic covering the top and bottom of the drive. Over the last year or so, the edges of the plastic had changed.
After I disassembled the caddy regularly kept in the laptop, I saw that the plastic was sticky on a few edges, though not nearly as bad as the other one. Some of the sticky stuff had transferred to the exterior of the SSD and the section of the laptop under the caddy. I brought out my trusty bottle of Goo-Gone and proceeded to remove the sticky mess on the laptop and SSD. I realized that the plastic would only become worse with time, so I peeled it off both frames, necessitating more severe cleaning, this time of the adhesive used to mate the plastic and frame.
If I had let it go much longer, the SSD and/or laptop might have been permanently damaged.
The frame is usable as is because the drive screws into it and then the frame screws into the laptop. The only thing I'll miss is the pull-tab which made it easier to insert and remove the caddy.
I'm not a chemist, so I don't know how difficult it is to make flexible plastic, but I have German headphones which are well over 20 years old with non-sticky earpieces. All of my computers and parts are stored in a cool basement, so temperature was not a factor here.
HP saved a few cents with its low-bidder, Chinese plastic. The legacy of Carly Fiorina lives on.
A new driver with a status of "recommended" appeared in Microsoft Update for Windows 7/8/8.1 PCs, "INTEL – System – 8/19/2016 12:00:00 AM – 10.1.2.80," but the associated webpage explains nothing. The Microsoft Update Catalog entry suggests that the updates are USB related.
In fact, the updates are INF (chipset) packages v.10. And they break older PCs.
After Intel left the motherboard business, it tried to put the driver situation to bed. But then Windows 10 appeared, with users understandably miffed at Intel's washing its hands of the whole affair.
Chipset drivers were released by Intel that could not be used with older chipsets -- 8-series and older -- with the line being between v.9 and v.10. Other Intel drivers have a similar story.
Now Microsoft Update has triggered a mass update for reasons unknown, sending the Intel chipset drivers intended for newer systems to older ones.
This is reminiscent of Microsoft's previous venture into Intel drivers, where Microsoft released a graphics driver, 126.96.36.19959, ostensibly for Sandy Bridge and Ivy Bridge processors for Windows 10. There are plenty of examples where Windows 10 causes problems with Sandy Bridge (here are examples for Dell, Sony, Intel, Intel, Intel, and Intel).
Searching on microsoft.com revealed nothing about this driver. Softpedia reported that 188.8.131.5259 is intended only for Ivy Bridge processors which would be consistent with what Intel support has always stated for processors and graphics thereof, that drivers for Sandy Bridge will not be forthcoming. And if this driver really did eliminate the problems, why didn't Microsoft release it before its July 29 deadline of applying for the free upgrade?
I sent a query to Intel Media Relations which responded with an exact quote from engineering: "Intel did not release this driver. Intel issued a small update to the existing driver for Win7/8/8.1, but did not issue a driver for Windows 10."
So it was Microsoft that edited an existing 7/8/8.1 driver and gave it a version of 184.108.40.20659.
Microsoft Update can no longer be trusted for Intel drivers. Go to the Intel Downloads website and get them yourself. Only install Management Engine drivers if you are using Active Management Technology in an enterprise environment. All other vendor drivers should be obtained from the official website. Hide all spurious drivers appearing in Microsoft Update.
And start learning Linux.
Depending upon one's point of view, Intel's Active Management Technology (AMT) is either a great IT benefit or a massive security backdoor.
Intel advertises that AMT enables IT departments to "manage and repair not only their PC assets, but workstations and entry servers as well," but the most important capability is that "devices can be diagnosed and repaired remotely," allowing IT "to discover assets even while platforms are powered off." And it can do this while shut-down but connected to power and Ethernet. It does this via Wake-on-Lan, so it might be possible to thwart AMT-style probing by disabling Wake-on-Lan. Wake-on-LAN and network boot are enabled by default on the Intel motherboards I own.
Dariusz Wittek, Intel EMEA Biz Client Solution Architect, said that "[AMT] does not have direct access to your HDD," but if it can "remotely remediate and recover systems after OS failures," then it must be able to format and install software on the HDD.
One problem is that AMT software is proprietary. Intel might say that AMT is secure because its code is obscure. However, we have seen with Windows' never-ending security problems that this model does not always work well. Linux is much more secure than Windows because many developers in many countries are able to look at the code and point out problems (and Linux users don't generally use an admin account for regular use).
There are a few hardware requirements for AMT, including a processor which supports vPro, a motherboard with a Q-chipset (though some Q-chipsets only support Standard Manageability), and Intel networking. The BIOS must be VT-x capable, VT-d capable, TXT capable, and TPM capable, and have the proper Management Engine (ME) firmware, though all of that comes with the proper Q-chipset motherboard.
Q-chipset motherboards are sold at Newegg and other outlets, however, so it's definitely possible for someone to buy one without realizing the full implications.
Processors without vPro constitute around half of i5 and i7 desktop and mobile processors (i3 and below do not support vPro at all), so it is definitely possible to choose one without vPro. Peruse the Intel vPro Expert Center if you're curious.
Take Skylake (6th Generation Core) as an example. Of the 14 desktop i5 and i7 processors, 8 -- i7-6785R, i7-6700K, i5-6685R, i5-6600K, i5-6585R, i5-6402P, i5-6400, and i5-6400T -- are not vPro capable. Of the 22 mobile i5 and i7 processors, 14 -- i7-6970HQ, i7-6870HQ, i7-6820HK, i7-6770HQ, i7-6700HQ, i7-6567U, i7-6560U, i7-6500U, i5-6350HQ, i5-6300HQ, i5-6200U, i5-6260U, i5-6267U, and i5-6287U -- are not vPro capable.
Or take Sandy Bridge (2nd Generation Core). Of the 18 desktop i5 and i7 processors, 10 -- i7-2700K, i7-2600K, i5-2550K, i5-2500K, i5-2405S, i5-2450P, i5-2300, i5-2310, i5-2320, and i5-2380P -- are not vPro capable. Of the 29 mobile i5 and i7 processors, 10 -- i7-2630QM, i7-2635QM, i7-2670QM, i7-2675QM, i7-2629M, i5-2410M, i5-2430M, i5-2450M, i5-2467M, and i5-2435M -- are not vPro capable.
One pattern that jumps out is that all of the K / X processors, with an unlocked cores, are not vPro capable, probably because IT departments do not overclock their systems. Xeon (server) and embedded processors appear to always be vPro capable.
Another requirement for AMT is a server to manage the various assets, with this server being managed by Intel or third party software modeled after AMT.
One ME module, ThreadX, comes from Express Logic, which offers a user's guide and programmer's reference card on its website, so it might be possible to reverse engineer some of ME's functionality.
ME software is offered by Windows Update (8/8.1 have it defined as an important update, while 10 automatically installs it) and Intel's downloads. When Intel made motherboards, its CD-ROMs contained ME and implied that it was required (its checkbox was selected). If ME is not installed, Windows Device Manager and Devices and Printers will indicate errors.
Linux is pretty much the same story, but it substitutes AMT Linux Enablement for ME.
I installed ME as a test on two freshly-built Windows systems, one with a vPro processor and another with a non-vPro processor, both with non-Q chipsets. After installation, the vPro system had an AMT folder while the non-vPro system did not, suggesting that vPro processors just assume they are running in an AMT system. I do not have a Q-chipset motherboard so I could not determine if all AMT folders are the same. Neither of my test systems displayed any AMT-related elements in the BIOS.
The best proof that AMT could provide an unintentional backdoor is the DZ68BC motherboard. This should have been one of Intel's premier boards, with world-class heatsinks and the ability to overclock. However, the bugs in the firmware -- just search on "DZ68BC" at https://communities.intel.com/community/tech/desktop -- convinced many users to try a less-complicated board or even a non-Intel board. I ran a test on a DZ68BC and found that if Wake-on-LAN was disabled, pressing the power switch no longer powered-up the system. I needed to press and hold the power switch for a few seconds to force it to power on. Not to mention the fact that Wake-on-LAN is enabled by default on all Intel motherboards, something most non-corporate users would not want.
A retired Intel engineer who worked on ME and motherboards and sometimes answers questions in Intel forums admitted that he does not install ME on his personal systems. He explained that ME is only necessary for those "using AMT (on vPro systems) or the soft TPM (on newer systems)."
One should feel fairly secure with a non-vPro processor installed into a motherboard with any chipset other than a Q, without ME being installed, with network boot being disabled, and with Wake-on-LAN being disabled (the last two are done in BIOS). I'm not convinced that the presence of an Intel NIC by itself opens any backdoors.
AMD, Intel's only real processor competition, does not have an equivalent to AMT but it does offer something similar to vPro. AMD's Secure Processor (formally Platform Security Processor) is an ARM core on the same die. The folks working on Libreboot, an open source BIOS replacement, believe Secure Processor to be the same kind of threat, but I don't think they're even in the same league. Secure Processor made its debut in AMD's Pro A-Series, so it's unlikely customers will buy one by mistake. Wake-on-LAN and network boot should be disabled in BIOS, as on Intel systems.
One of the problems with this entire subject is communication, or lack thereof. Intel rightfully believes AMT, vPro, and ME to be trade secrets worth protecting. Intel's Wittek denigrates those who throw darts, but given that the source code is not available to non-partners, there's no way of proving it one way or the other. Qubes OS' Joanna Rutkowska wrote Intel x86 considered harmful, giving the impression that AMT, vPro, and ME are the devil, but then again Intel's documentation is far better than the competition allowing us to know more about it, not to mention that Qubes OS would fare better in the marketplace if people accepted that no processors were trustworthy. Intel could allow a respected expert to look at the code, but some people would not believe those findings either. We'll just have to wait and see how it plays out.
As I wrote before, Intel small business marketing blogged in January 2016: "You might be resisting [migrating to Windows 10] because you're worried Windows 10 won't work with older computers. But rest easy, it's backwards compatible, meaning it's designed to work with older and newer computers alike. Upgrading your hardware can be expensive, so start with a free operating system update."
This was wrong at the time and remains wrong because Intel made a corporate decision to not support any processor graphics released before 3rd Generation Core (Ivy Bridge). Actually, Intel does not even include support for 3rd Generation Core processors on its most recent support post. Intel made this decision even though all of its former competitors in the motherboard business have released device drivers for many of their motherboards, while Intel washed its hands of the whole affair and left the motherboard business.
Recently the aforementioned blog entry was deleted, but I had taken screenshots of it.
Intel small business marketing blogged in January 2016: "You might be resisting [migrating to Windows 10] because you're worried Windows 10 won't work with older computers. But rest easy, it's backwards compatible, meaning it's designed to work with older and newer computers alike. Upgrading your hardware can be expensive, so start with a free operating system update."
But that's not true, as has been noted on Intel support forums. And Intel Downloads contain no Windows 10 drivers, save for NUCs and Compute Sticks, as well as related BIOS updates and utilities. The strange case of Dr Intel-Jekyll and Mr Intel-Hyde, if you will.
Microsoft is determined to force Windows 10 onto all PCs regardless of whether they have hardware which supports it. Terry Myerson, Executive VP of Windows and Devices Group, blogged that Microsoft will intensify its attempts to force users to convert, even changing the updates to Recommended status which means they will automatically install on most PCs. Microsoft re-releases the updates every month.
Microsoft should have included an upgrade adviser to determine if a PC's hardware would support it. The user should have been given the choice of migrating or not -- opt-in rather than opt-out -- but Microsoft designed the scheme to force it onto as many systems as possible so Microsoft would start making money via its new business model of collecting user data and selling it, much like Google.
A naming convention needs to be addressed. In the not-too distant past, the metallic, square product placed in a motherboard socket was referred to as either a processor or CPU (central processing unit) because there was a one-to-one relationship between the two. Then processors were given multiple CPUs, with "core" being used to refer to an individual CPU. Then many processors were given a GPU (graphics processing unit), also composed of one or more cores (it's common to have 2-3 times as many graphics cores as processor ones). I will only use processor, core, and graphics, with the last referring to all graphics capability in the processor.
The confusion with respect to Windows 10 exists because Intel is three things: a supplier of processors which may or may not have graphics capability, a supplier of chipsets for use on other vendor's motherboards, and a former motherboard manufacturer. The impact to Windows 10 is different for each case.
First, let's consider the processors Intel sells to the consumer market, ending up in retail establishments and OEM products. The core(s) portion of the device will support just about any operating system, but graphics capability is an entirely different story. And just to complicate the situation even further, for OEM processors, Intel supplies generic device drivers which the OEM may or may not customize, either adding or subtracting features.
Intel made a corporate decision to only supply Windows 10 graphics device drivers for 3rd Generation Core (Ivy Bridge) and later processors. Previous generations of graphics, most notably the still-popular 2nd Generation Core (Sandy Bridge) will never be supported under Windows 10. In Intel's support forums this has been stated many times. The policy is officially stated on Supported Operating Systems for Intel Graphics Products. Note that graphics for many older Pentium, Celeron, and Atom processors are not supported on Windows 8.1 or 10. Select the device drivers for 3rd to 6th Generations here and the device drivers for 6th Generation only here.
Mind you, Microsoft does supply compatibility, i.e. generic, drivers for non-supported Intel products in Windows 10, but they won't be optimum and no one will help you debug any problems. When Windows 10 first boots, it will search for proper drivers and not always find them. Audio drivers are often not installed when moving from one Windows version to another, so you will need to install them manually.
So this has an impact regardless of whether your PC has an Intel motherboard or an OEM one. However, keep in mind that for desktops, adding a video card will resolve the issue because then you will not be using Intel graphics. It would also resolve the issue for laptops, but adding a video card is problematic because they are not generally offered for retail sale.
Second, let's consider chipsets. If a motherboard manufacturer wants to use Intel processors, it must also use Intel chipsets. The situation is the same for AMD processors which go hand-in-hand with AMD chipsets. The naming convention for Intel chipsets is that the first number is the series, e.g. a Z77 is a 7-series. As with OEM processors, Intel supplies generic device drivers which motherboard vendors can modify. However, Intel does not intend to release chipset device drivers for 6-series and all previous generations for Windows 10. For example, the ASRock H61M-DGS supports Windows 10 because ASRock created device drivers for it (I'd want to test it before I ran production software on it, however). But then look at the BIOSTAR H61MGV3 which only lists device drivers for the on-board LAN.
Third, let's consider Intel motherboards. Intel left the business in 2013. This decision has caused a great deal of confusion because other motherboard manufacturers -- the large ones are Gigabyte, ASUS, ASRock, MSI (Micro-Star International), and Biostar -- remain in business. Intel decided not to support Windows 10 on any of its motherboards because it could reassign or eliminate all of the employees working on them. Windows 10 device drivers for these boards are problematic because Intel will not spend the money it would take to qualify them. Intel has provided non-supported Windows 10 device drivers as follows (remember that Intel changes its website without notice): wired networking, Rapid Storage Technology, chipset, and others via Intel Downloads. The ME (Management Engine) driver for 3rd Generation Core and later processors can be found here. One retired Intel engineer stated that ME drivers are only necessary for systems with AMT (Active Management Technology) or TPM (Trusted Platform Module), though Device Manager will display an error that can be safely ignored. Audio device drivers are actually supplied by Realtek and they can be found on its website.
In other words, you are mostly on your own for older hardware. If you see the classic message KMODE_EXCEPTION_NOT_HANDLED -- no longer a BSOD, but a system crash nonetheless -- you have device driver problems and there might be no solution other than to revert back to Windows 7 or 8/8.1.
The reality is that Intel boards are a crapshoot with respect to Windows 10, with newer boards being more likely to support it. In comparison, all other motherboard manufacturers have added support for it to some degree, with the newer the board the more likely it is that full support is offered. Both NVIDIA and AMD/Radeon have released drivers for Windows 10, but given that Sandy Bridge and older processors are not supported on Windows 10, even adding a video card might not solve the problems.