ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

How a researcher hacked his own computer and found 'worst' chip flaw

(1/5) > >>

mouser:

A serious and hard-to-fix bug was recently found on most instal cpu chips manufactured since 1995.  It's causing a huge disruption on the web affecting most of the servers running the internet..

FRANKFURT (Reuters) - Daniel Gruss didn’t sleep much the night he hacked his own computer and exposed a flaw in most of the chips made in the past two decades by hardware giant Intel Corp (INTC.O)...
The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995.

Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices (AMD) (AMD.O) and ARM Holdings, a unit of Japan’s Softbank (9984.T).

Both would enable a hacker to access secret passwords or photos from desktops, laptops, cloud servers or smartphones. It’s not known whether criminals have been able to carry out such attacks as neither Meltdown nor Spectre leave any traces in log files.

--- End quote ---

https://www.reuters.com/article/us-cyber-intel-researcher/how-a-researcher-hacked-his-own-computer-and-found-worst-chip-flaw-idUSKBN1ET1ZR





See:

* https://www.reuters.com/article/us-cyber-intel-researcher/how-a-researcher-hacked-his-own-computer-and-found-worst-chip-flaw-idUSKBN1ET1ZR
* https://it.slashdot.org/story/18/01/04/2128242/how-a-researcher-hacked-his-own-computer-and-found-one-of-the-worst-cpu-bugs-ever-found

IainB:
@mouser: Thanks for posting this news item from the always-reliable Reuters news. I don't know what to make of it. I had already read similar, elsewhere, as the Internet seems to have gone crazy over "Meltdown" and "Spectre" (such dramatic and scary names!) these last couple of days. They are a "thing", it seems, and may be potentially even worse and more imminently threatening as a national security risk than Climate Change™, or something. Anyway, we must act - and now! There's no debate about that, except perhaps from the usual pointy-headed tinfoil-cap-wearing conspiracy theorists whom we all spurn as less than human - and rightly so.

A report and video interview from the always-reliable CNN investigative reporting team mentions:

* that the flaws affect "...billions of computers and smartphones" (Oh no!),
* that "Meltdown" (sounds a bit overheated to me) affects only (all/most) Intel processors(!), whereas,
* "Spectre" (sounds like code for a sorta James-Bondi ghostly Russian spy system to me) "...exists in almost every computer system" (which sounds scarily pretty comprehensive),
* that "Intel CEO Brian Krzanich sold about half his stock months after he learned about critical flaws in billions of his company's microchips.", which carried the implicit suggestion that the flaw(s) were deemed to be serious enough for the CEO to risk potentially breaching insider trading regulations constraining the sale of Intel stock - so thus, obviously the flaw(s) are real and serious and need to be remedied ASAP.   :tellme:
* that these hardware/firmware design vulnerabilities have apparently been known about/discussed for years as being potentially exploitable, and were a known result (trade-off) of chip hardware designers working towards maximising optimum throughput - the implication being that to "fix" them now could necessarily reduce throughput and slow down all our PCS/smartphones. (Mightt we not all need to buy new, non-vulnerable CPUs?)   :tellme:
Oh dear, what a pity, never mind.

The spin seems to be based on a supposition that these are hardware/firmware vulnerabilities/flaws, or something, that were not previously known about (which would seem to not be true), whereas what we can deduce seems to be that this is the first time that some details of these vulnerabilities have been published (I think that, at least could be true).

In the Reuters report you quoted, "Daniel Gruss" (not sure whether that is a real person) is the name assigned to the "discovery" of the "Meltdown" flaw, whereas we are only told - somewhat ambiguously - that "Separately, a second defect called Spectre has been found".
What? Simultaneously? Coincidentally? Just like that?    :tellme:
Woooow, scary; must download the fix ASAP before the bogeyman looks into my laptop/smartphone/raspberry Pi firmware with "X-ray vision" (Yep, that's what it was called.). Then I shall feel safer.

Yeah, right.

The parallel report that the Intel CEO apparently had the audacity to risk potentially flouting insider trading rules and sell off his max limit of stock at a good price before the flaw(s) were published (Shock! Horror! Who would do such a thing! Capitalist scum!) is really interesting. Apparently (per CNN), Intel stock had already dropped 6% on the "bad news" about the chips, or something, so Brian Krzanich could now redeem himself by buying his stock back at a hefty discount, even increasing his stockholding at no extra cost - if he wished. Ahh, serendipity. Bet there wasn't a 99% chance that that price drop wouldn't happen, eh?

Colour me highly skeptical - especially given the history/experience/example(s) I coincidentally referred to in the recent post here:
Unfortunately, history also shows that it generally doesn't seem to make a blind bit of difference whether corporations exhort their personnel to conform to avoidance of this or that unethical or illegal practice or "behaviours", because people (usually senior managers and executives) will attempt to do their damnedest to work around such "ethical" constraints where they see a potential pot of gold, or a savings, or a marketing advantage can be had.
-IainB (January 04, 2018, 08:34 AM)
--- End quote ---

Of course, Microsoft, Intel, AMD, et al are presumably assiduously working collaboratively day and night now, even as I write this, and probably after I have gone to sleep for the night (though I am a bit of an insomniac), to push out a broad "fix" to these terrifying flaws. The last thing we want is people "peeking at our passwords" or, maybe worse, even "looking at what tabs we had open in our browsers". Oh, the horror! It was bad enough when Snowden blew the whistle on the NSA spying. Oh, but wait...     :o

Which rather begs the question as to whether these apparently long-known vulnerabilities (QED) and flaws were not already being (relatively) "harmlessly" exploited by (say) the NSA or other state agencies/organisations, or whether the comprehensive world-wide "fixing" of CPU hardware/firmware is actually necessary, and whether the reality of the "fix" might not be worse than the reality of the supposed vulnerabilities, introducing (say) new backdoors where there were none before... How would we know for sure?    :tellme:
But I suspect that there may not be any consumer option there. It currently rather seems that we WILL get the fix via a remorseless push, and whether we want it or not, and it may have already started.
Ordinarily, I would say that "Doctor knows best.", but - post-Snowdengate -  I'm none too sanguine about these IT medicos and their "You can trust us to do no evil!" (or similar) approach...   I mean, it's not like they have taken the Hippocratic Oath, or something - is it?    :tellme:

I couldn't help thinking that this all seemed to be déjà vu for some reason, and then I recalled the Halcyon days of the Y2K con trick work that I and thousands of others helped to perpetrate carry out, exploiting gullible helping clients who bought into our consultancies' hugely lucrative Y2K risk mitigation proposals. The poor wee darlings couldn't sleep at night for worrying that the sky was falling down - and it was! Yes! It really was! - because all their CPU-controlled systems, including in computer-rooms, elevators, calculators, PC workstations and distributed 3-tier LANs and databases, aircraft control systems, telephone exchanges, etc. were all at risk - very real risk - of stopping dead on the turn of the year 2000. Aircraft would literally fall out of the skies, elevator brakes in tall buildings would come OFF automatically sending the lift and its occupants hurtling to certain destruction below, banks and payment systems would collapse as their systems stopped, food and water would be in short supply due to the banking system collapse and store checkouts not operating, balance sheets would evaporate, huge losses would be incurred, etc..  Oh, the horror!

Well, we put their little minds at rest, so they could sleep peacefully, secure in the knowledge that we had put mitigation plans in place and mitigated the risks for them, the poor dears. So they slept on soundly, whilst we tiptoed off into the sunset of the first day of 2000, laughing all the way to the bank, secure in the knowledge that the suckers clients were convinced that we had delivered them a good service.
Ah, those were the days, eh?    :Thmbsup:
Reminiscing now...
It would be nice if we could catch another gravy train like that...   Oh, but wait...    :o
...looks like the MSM (MainStream Media) may have already climbed aboard. A quick survey seems to show pretty consistent reporting (almost word-for-word) of the narrative coming from all/most "news" sources, with little real variation and no apparent evidence of critical investigative journalism. Speaking as the ex-Principle Marketing Consultant for the AP region, to what was apparently the third-largest IT corporation on the planet at the time, and where my specialism was strategic marketing communications planning (and in which I was regarded as being pretty capable), the MSM chatter on this Meltdown-gate and Spectre-gate (my terms, for want of a better terminology) would seem to have all the markings of a well-orchestrated and well-synchronised public communications launch. Not a bad job at all.
Respect!   :Thmbsup:

IainB:
Interesting:
"Best explainer yet for Meltdown and Spectre"
Refer <https://www.askwoody.com/2018/best-explainer-yet-for-meltdown-and-spectre/>
- and link to <https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/>

There are 2 .PDF (academic) papers (Meltdown.pdf and Spectre.pdf) downloadable from the latter link, which seem quite illuminating, sometimes in what they do not say. It seems the researchers may have been working on identifying the type and extent of these vulnerabilities since 2016, at least.
There is evidence of co-ordination between the parties involved, so it seems that someone is co-ordinating this business, but quite who they are or the mechanism of how they are doing it, or for how long they have been doing it (and why) is not immediately apparent.

Stephen66515:
https://meltdownattack.com/

Meltdown and Spectre
Bugs in modern computers leak passwords and sensitive data.


Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
--- End quote ---


Link also contains technical papers on both Meltdown and Spectre

~Stephen

mouser:
Nice calm summary in plain language:

https://www.networkworld.com/article/3245813/security/meltdown-and-spectre-exploits-cutting-through-the-fud.html

"To date there are no known uses of the exploits in the wild. And it’s not as easy to deliver a payload to a machine to use these exploits, as it is with more common malware that’s sent via an email or errant application download... While these new exploits are troublesome, as are all potential security risks, users and organizations affected should not panic. Many of the fixes are already being implemented as software/firmware upgrades and should mitigate the vast majority of any potential exploitation."

Navigation

[0] Message Index

[#] Next page

Go to full version