ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

How a researcher hacked his own computer and found 'worst' chip flaw

<< < (5/5)

f0dder:
I'm a bit late to the party, but...

^^ Good link. Thanks. And the author is right - it is FUD, and generally, wherever one finds FUD, one will usually find an accompanying $commercial and/or a political motivation, if not simply an "ulterior" motive.-IainB (January 07, 2018, 01:46 AM)
--- End quote ---
The warnings about Spectre and Meltdown weren't FUD.

As Jibz said, the prime target isn't end-user machines, but stuff running in the cloud. Thing is, more and more stuff is being moved to cloud infrastructure - email, the ecosystems for software updates on everything from phones to server and desktop operating systems, payment processors, social media, every-friggin-thing. Being able to freely dump memory of other tenants on the infrastructure? TERRIBAD!

Fortunately Meltdown was "fairly easy" to fix, and without adding that big overhead... depending on workload and whether the CPU is recent enough to support the "Process Context ID" feature.

Spectre on the other hand? It's a can of worms where the lid has just been popped off. It's a class of bugs that's very hard to totally fix, because of the way modern CPUs work - unless we're willing to give up a lot of speed. I expect we're going to see a game of whack-a-mole for a while.

Spectre is a lot harder to abuse, and doesn't give the full, well, meltdown as Meltdown did. But it's still a serious issue, and it was exploitable by Javascript code running in browsers - i.e., something that can be used to target end-users.

This was not a case of cry wolf. It was a case of "we need to fix shit, now, before people outside the NSA, GRU and GCHQ start
abusing these flaws".

IainB:
Interesting post from askwoody.com:
Foreshadow/L1TF: Another highly publicized Intel flaw, complete with its own web site and logo
Posted on August 14th, 2018 at 15:46 woody
Comment on the AskWoody Lounge
You’re going to see a whole bunch of explainers about this, yet another Meltdown/Spectre-class vulnerability in Intel processors.

Intel’s FAQ lists just about every Intel processor.

Microsoft’s FAQ explains how L1TF works.

And, yes, Foreshadow has its own web site. With a free-to-use high quality logo.

Let’s see if we get another crazy round of claims and patches — more sound and fury directed at a potential attack that, while real, hasn’t yet hit the fan.

You can tell it’s a co-ordinated disclosure because it was announced immediately after the Patch Tuesday releases.
--- End quote ---

Spectre ... Meltdown ... Foreshadow/L1TF ...
Such dramatic names!    :up:

I predict the next one to be announced ... "Paradox/WTF2"

Navigation

[0] Message Index

[*] Previous page

Go to full version