loading...

Discussion

markdown guide
 

I think it's only to be expected that as the processors add more logic the likelihood of security flaws will increase. I see a potential market for having lowered power, and far less complex chips, for security intense operations...

...that is, assuming the public ever truly cares about security breaches, viruses, spam, malware etc. We've shown a strong reluctance not to care before.

 

The other side of the coin is update lethargy (or failure to make updates pain-free). Either way, there needs to be a shift.

Passwords, updates, phishing, etc. There are a lot of security issues education, while always evolving, are pretty evergreen in the computer age and we should be teaching this stuff a lot.

 

I think the shift has to be fundamental. A model that requires continuous updates is an never-ending war, and the faults will just continue. Were systems instead designed for security from the ground up then update lethargy wouldn't be as serious as a problem (though attackers have shown some extreme ingenuity in recent times).

But, as you say, unless education of the average internet user is improved, there will be no push towards any kind of security shift. This is kind of scary. In contrast, this Intel defect is really kind of harmless in contrast to what people willingly share about themselves online.

Education and awareness are probably the biggest issues.

You just hit the nail on the head. I totally agree that this is an education issue. The average end-user doesn't know what phishing is. That just makes it easier for them to get owned by it. The same is true of many other vulnerabilities. And even more so with user practices, like using the same password over and over. Even after Equifax, the average user doesn't care. Perhaps this needs to be a bigger part of public education.

 

This has to be the worst vulnerability I've ever heard of. It takes advantage of a layer between apps and data that users expect to be totally secure.

 

I wonder if it has been exploited by someone before it became widely known. How likely is it that black hats/govts could know about it and use it secretly?

 

From the Reuters article:

Speaking on CNBC, Intel’s Krzanich said Google researchers told Intel of the flaws “a while ago” and that Intel had been testing fixes that device makers who use its chips will push out next week. Before the problems became public, Google on its blog said Intel and others planned to disclose the issues on Jan. 9. Google said it informed the affected companies about the “Spectre” flaw on June 1, 2017 and reported the “Meltdown” flaw after the first flaw but before July 28, 2017.

I haven't heard of any exploits in the wild yet. Although, keeping vulnerabilities secret to use as zero-day attacks is the standard operating procedure of the NSA. And if the NSA knows about it, black hats probably know about it too. I would actually be surprised if that wasn't the case.

 

SharedArrayBuffer and performance analytics are also being temporarily disabled in browsers in the mean time

Chrome: chromium.org/Home/chromium-securit...
Firefox: blog.mozilla.org/security/2018/01/...
Edge too

 

If anyone's curious about how Meltdown works, here's my attempt to explain it very simply: dev.to/isaacandsuch/how-meltdown-w...