Main Area and Open Discussion > Living Room

How a researcher hacked his own computer and found 'worst' chip flaw

<< < (3/5) > >>

Arizona Hot:
How a researcher hacked his own computer and found 'worst' chip flaw

Apple releases new security update to protect Safari against the Spectre attack

IainB:
I had to laugh at this post on AskWoody:
Risk Based Security brings some sanity to the Meltdown debacle
Posted on January 9th, 2018 at 15:52 woody Comment on the AskWoody Lounge

I just finished reading this article, recommended by Kevin Beaumont. The Slow Burn of Meltdown and Spectre: Exploits, Lawsuits, and Perspective.

Here’s the conclusion:

Vulnerabilities are disclosed every day, to the tune of over 20,000 new disclosures in 2017 alone. Just because a vulnerability receives a name, a website, and/or a marketing campaign does not necessarily mean it is high risk or that it will impact your organization. As always, we strongly encourage organizations to cut through the noise and focus on the details relevant to them, and make a decision based on that alone.
--- End quote ---

I repeat – forgive me if you’ve heard this before – but there are NO KNOWN Meltdown or Spectre exploits in the wild. Folks who run servers with sensitive data — banks, brokerage houses, military contractors, cryptocurrency exchanges — need to be concerned about Meltdown and Spectre in the near term, realizing that the data can only be snooped if you allow an unauthorized program to run on your server.

For everybody else, the first attacks (if there ever are any) are likely to come through web browsers. You need to harden your browser as soon as the update is available. You’ll want to install the new Windows patches as soon as they pass muster. And you need to get your BIOS or UEFI updated one of these days. But there’s no big rush.

What you’re witnessing is a colossal “Sky is Falling” routine, aided and abetted by folks who are going to make money from the havoc.

--- End quote ---

Clearly, Woody is off his rocker. This threat is serious man, all the news reports say so, and look how quickly the players have been moving to stop the vulnerabilities - even if it does mean (say) inadvertently crippling some of those older, or non-Intel CPUs - and are even now considering redesigning the chip hardware/firmware for the future so that we can all be safe. They wouldn't all be rushing to do that if it wasn't an imminent threat. Oh, but wait...    :o

Stoic Joker:
I do find the timing rather interesting with all the folks being so happy with how well Windows 10 runs on older hardware ... That now have an entirely new holy-shit-class reason to have to run out and buy brand new bleeding-edge hardware which will of course be priced to match accordingly..

But I'm never-the-less obligated to schlep through the process in the name of due diligence. Because it only takes one enterprising asshat to pair this with a broadcast based delivery system to get it into some low hanging fruit internal server from a workstation email (ala CodeRed) to turn the whole thing into a big steaming shit show.

IainB:
I do find the timing rather interesting...
...But I'm never-the-less obligated...
-Stoic Joker (January 10, 2018, 07:36 AM)
--- End quote ---
Yers, well, that's the thing about FUD: "My goodness! It just might be true! Can I take the risk?"

Kerching! Kerching!

Jibz:
I think the problem is not so much the risk for the average user to get hit by this on his home computer (outside of browsers), but that half the web runs on AWS/Azure/Whatever, so the average user could get hit by extension when the servers running the websites they use potentially leak passwords and personal data.

Navigation

[0] Message Index

[#] Next page

[*] Previous page