BREAKING: Unfolding Computer Security Crisis

This might be one the biggest crises in the history of information technology. A security flaw among processors using "speculative execution" — that is, virtually every unit produced since the late '90s — was just recently discovered by independent research teams.

The hardware bugs are nicknamed Meltdown and Spectre — and if the former is patchable at the significant expense of computing power, the latter simply cannot be corrected right now and is likely to remain a hazard until the next generation of hardware is introduced. This might take a decade.

The exploits allow malicious software to access pretty much any data loaded into your computer memory — passwords, emails, documents and anything a piece of software from web browsers to anti-malwares might need to store into RAM.

Everyone is concerned by the security flaw, regardless of the device (smartphone, laptop, desktop computer, web server, etc) or operating system (Windows, Mac OS, Linux) you might use. Whether or not this exploit has already affected you cannot be determined as the it doesn't leave any trace behind.

Graz University of Technology: Meltdown and Spectre |
Ars Technica: “Meltdown” and “Spectre”: Every modern processor has unfixable security flaws |
Gizmodo: What We Know So Far About Meltdown and Spectre, the Devastating Vulnerabilities in Modern CPUs |
TechCrunch: Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device? |
CNET: How to protect yourself from Meltdown and Spectre CPU flaws |

Other urls found in this thread:

Imagine this being what topples capitalism. Straight up cyberpunk levels of collapse with the reduced computing to patch this. Craaaazy.

It appears certain AMD processors are not affected by meltdown. Not sure if AMD is safe from specter. Linux kernel commit notes show that the performance degrading fix is disabled when an AMD processor is detected.

These security flaws probably impact cloud providers/users the most especially if providers rent shared hardware. An attacker could have his VM read the memory of another VM if they are running on the same bare metal machine. The next question is how or if the industry will exchange performance for security.

Things are already going to shit, actually

Correct, AMD processors are not affected by Meltdown but they are by Spectre — the worst of both.

Isn't this an NSA backdoor?


Joke's on them, I don't have any money to steal anyways.

Yeah. Intel is a "computer manufacturer" in the same way Lockheed Martin is an "airplane manufacturer". What worries me is that this is being allowed to come out rather than the researchers disappearing in the night, which to me says that they already have something far more effective in place that we don't know about.

Well the good ting is that this means there will be more leaks and shit. Good thing I don’t have sensitive data on my computer.

If powers that be were that competent, we wouldn't be here.

It affects all intel processors.

Holy fuck @ spectre.

Javascript was a mistake.

This is always the case, NSA and CIA hoard these kinds of things. On top of that, they were sitting on this one for months. That said, Spectre really does take the cake, it is a remarkably evil bug.

is there any processor which doesn't have this bug?

Feels good not to be cucked by western capitalism and the accompanying police state.

Spectre affects all hardware and OSs.

my dude, I just ran the spectre test on my new Ryzen chip and it worked.

explain this to a brainlet

yeah like the first Pentium.

How about noscript?

ublock and umatrix or javascript or spectre?
for ublock and umatrix, look up their manuals and guides.
javascript is a programming language that runs in your browser. whenever you load up a webpage, it runs random javascript programs you download from it. spectre basically lets those programs break out of the browser and steal your info.

probably fine but isn't it obsolete compared to umatrix?

Just FYI, since Holla Forums does NOT run on a cloud server, it is less vulnerable to Spectre. It's cloud services like Amazon that are totally buttfucked by it.

I've been hearing this bullshit about THE END OF THE CYBERWORLD since John fucking Mcafee blew his hot drug filled load in the early 90's warning of the VIRUS OF ALL VIRUSES

I've been told this the last 7 years more consistently that I just don't give a shit. I don't care the NSA knows that I have my phone near me when I'm wrecking my butthole with a dildo, I don't care that they see me naked, I don't even care if this leads to my doxxing and death

I am so tired of these doomsday scenarios that I refuse to believe they're real. Boy who cried wolf too many god damn times.

Only technologically obsolete processors you're unlikely to have ever approached in your whole life unless you're 30+.

You're all a bunch of cowards, let them spy on you. Be someone's entertainment. Hey, let them destroy your computer, it might improve your life!

Too bad this is going to be another whole bunch of nothing hyped to hell by paranoid internet dweebs who can't tell the forest from the trees/can't tell net neutrality from the boy who's cried wolf so many times he might as well have been killed out of annoyance by the local populace.

Nobody's saying this is "the end of the cyberworld", just that it's a far-reaching security crisis with very serious implications.

dude, you hear about it all the time because capitalism makes it so that there's no profit incentive to make secure software and hardware. it's just totally fucked, but this one genuinely is a lot worse than normal ones.

According to AMD their chips are completely unaffected.

You're clearly an idiot who has no clue what the whitepaper is talking about. Spectre is genuinely bad.

No, they only said that about Meltdown. I repeat, I have personally tested Spectre on my AMD hardware and it's vulnerable.

But what if it wrecks your bank account? Then you can't buy any more dildos and ain't that a fate worse than death?

Hearing about this is more tiresome than drinking gin. Both are bound to happen, both taste like shit, you promise you won't look at the bottle again and in your gut you feel the same annoyance that it's always there, always yelling at you about the next cyber security thread

I have been so desensitzed by this bullshit that I wouldn't care if whatever I say here gets me arrested.

I don't care who does this or what it is for but if they have a folder of my nudes I hope they fucking enjoy it.

That's only Meltdown. Pretty much all of your devices are vulnerable to Specter.

Why would it be a fate worse than death if I already have dildos

No it's just another example of America ruining fucking everything.

nibba you aint charles bukowsky

Just shut up then faggot, why are you even here?

Shut the fuck up you tired lizard like man.

And you aren't William Gibson


To tell you that if you thought anything different was happening you're an idiot.

I'm Thomas Pynchon

So why read any news? Once you read one story about capitalist exploitation, no point reading any more, right?

Why are you so upset I'm laughing at you that you didn't expect the obvious. Oh I know why, it's because you're a baby.

my dad is a police car


The obvious is that there will always be more exploits. Wow, you're a real fucking Cassandra.

My mom fucked your dad, I'm a hybrid of both man and machine

No No No No, wrong wrong wrong

You can't take back what I'm laughing at your hysteria over the obvious for back to me that's silly


u dumb fucks this whole thing is a shill to get u to buy amd how fucking stupid can u commie cunts be

It effects AMD, fuck off.


but it affects AMD as well you cuck

But it can be patched without causing massive slowdowns. That's the rub.

No it can't, Spectre has no patch as of now. You're thinking of Meltdown. RTFA, RTFT.

You're talking about Meltdown, not Spectre. Spectre is a hardware-specific issue, it can't be solver through patching.

Thank you NSA for protecting our freedoms from terrorists
dog bless ameriga : DDD

This is like watching 3rd graders argue about who's stronger Wolverine or Yoda

fuck off retard.

A thread about computer security gets derailed. Cointelpro in action?

Both are hardware issues, spectre has no fix now or for the foreseeable future.

what's with all the retards in this thread in particular

The brice of freedom.


It could be NSA meddling or it could be pursuing performance/profit without regard to security. Or both


So they don't use AMD or intel? Seriously?

Do they use branch prediction? Probably.

I know that at least Russia produces it's own domestic processors. They have a lot of domestic protectionism laws.

Most likely both. The NSA/US federal government apply extreme pressure on any tech company that refuses to cooperate with them. It's in their best interest to just give the government what they want.

What the fuck are you on? Do you believe current-day Russian or North Korean CPUs somehow don't use speculative execution?

shoulda taken the noscript pill homie I told you
real neighbors block everything

The real winners are the govts who bought a bunch of typewriters and made their top secret shit move back to paper.

I thought that was just Spectre 1 which already got patched

Reminder that a US-sponsored cyberattack on Iranian nuclear facilities managed to ruin one out five of their uranium centrifuges — it was called the Stuxnet worm.

probably want to switch to umatrix

read. the. thread.

I. did. There's two spectre variants, spectre 1 got patched and as far as I know the second variant was never shown to work on AMD chips thus far.

no there isn't, read again.

sorry user but yes he's right:

Yes there is. Pic related. Variants 1 and 2 are part of the spectre exploit. Variant 3 is meltdown which as far as I know only affects Intel.

None of exploits listed in that article are Spectre.
There is proof of concept code in the Holla Forums thread:
>>>Holla Forums847282
>>>Holla Forums847304
>>>Holla Forums847313
>>>Holla Forums847329
>>>Holla Forums847330
>>>Holla Forums847336
>>>Holla Forums847339
>>>Holla Forums847340
>>>Holla Forums847374
>>>Holla Forums847377
>>>Holla Forums847378
>>>Holla Forums847418
It has been tested and is proven to work on numerous AMD and Intel chips. There IS NO SOFTWARE UPDATE as of yet, and possibly won't be one at all.

Why is America so bad at technology?

They explicitly refer to variants 1 and 2 as part of the Spectre exploit here:
Has something changed or is there something I'm missing here?

This clarifies somewhat, and explains AMD's extremely cocky attitude.
SO FAR, Spectre on AMD can only access memory within a process. This means it is not a major problem for AMD servers right now, but it is still a major problem for us, because it can run as a browser exploit. AMD claims that OS and software updates can fix it, but browser and OS vendors have not pushed patches that eliminate this problem yet. As well, we still don't know this bug can't be slightly re-engineered to get full coverage on AMD.

But those processors doesn't have any aslr. That was before we have to worry about randomizing kernel boot calls.
My x200 on gentoo hardened seems to be safe from specter for the time being. I'm not sure about Meltdown. I'm more concerned about Meltdown, Is there any proof of concept code for that? I'll look into the papers again tomorrow.

How do I protect myself beside using common sense? I want to update windows but I will also need an arsenal of anti telemetry

windows 7 patch

hmm AMD cockyiness is justified
Spectre is so specific its way harder exploit

Do you have the 8.1 update?

you could have just copy and pasted " 2018-01 Security Only Quality Update for Windows" by the way

Well for 1 you can stop using windows, I don't understand the idea that you don't want to be spied and will jump through hoops to fix an unfixable OS yet won't try anything else. But there will be security patches for Meltdown, but Spectre its aptly named as there is no fix for it until new processors are made, so until then install scriptblockers and don't download malicious programs.

I don't know about him, but some online games I play are Windows only and don't quite work right with Wine. My personal solution was have a gaming desktop I dual boot for games and laptop running Debian for everything else. I wish Windows would just die.

just as fucking planned

So how many people have already been fucked by this

In a cell in Colorado, Ted Kaczynski is laughing at us.


Where can I buy?

Well shit, I will have to live with that, at least I've been virus free for a while now

Someone from this board better fucking make malware for this and kill off all of porkies servers. Pronto

Muh competition!

He's on idealism mixed with a bit of technological illiteracy

Kek, my netbook is pre-2013 Atom. It's immune to Meltdown.

bump, so I installed Ublock & noscript what else can I do to protect myself aside from switching to linux & not visiting shady websites

host files:

That, and Stuxnet affected specific Siemens-produced hardware that was sold worldwide. Lol.

Javascript is ran in a VM you jackass.

Does using a virtualized environment give you some protection?

This. You can't steal my money if I hide my remaining 2k in my bunker.


I'll put you in my bunker.

Please stop. Just let me live my life in ignorance.

The beauty of this whole thing is that not even virtualbox is safe.

Firefox just released a patch to prevent the attack. The exploit was able to read all the memory in the process.

Fucking stop it, install Linux.

Why didn't we listen to the anprims? We had all this time to prepare, and now we have but a shallow grave atop a mound of our technological ignorance.

Time to learn how to dual boot. Gotta look out for my vidya, unfortunately. Otherwise, I'd drop the microshit meme already.

so he has ads on his website? that's it?

can I use that without the million previous updates? I never update

They're malicious ads.

just don't go on the website and keep on using the extension.

The whole point is, why the hell would you trust this guy to send updates to your browser extension if he deliberately puts virus downloads on his site?

I don't use updates.
and just because he's doing this one dumb thing for money doesn't mean the entire thing is useless.

b-but the f-fhureeh m-market!

Plenty of native/ported linux game torrents here:

Plenty of torrents with games pre-packaged with wine here:

Install PlayOnLinux for user made scripts to install Windows games easily.

BRB, buying twelve apple watches.

I'm no expert in CPU architecture, but Im pretty sure you can't predict iranian proc have the exact same issue than intel ones

It's very unlikely those CPUs don't use the computation techniques that allow the flaws to be exploited, such as speculative execution. Virtually every unit produced starting in the late '90s has those features, why would Iran's be different? That would be like assuming Iranian mouses somehow don't have a right click button.

There is a Spectre haunting the whole world…

Laughs in Ryzen

Uh, no. Meltdown is the worst of the duo, you dimwit. Spectre can be patched at a software level, while Meltdown can only be somewhat controlled by a kernel patch, and even then, it's barely even a band-aid.


Put this into the oc thread.

Just update Firefox and Chrome and you won't get affected by JS Spectre scripts.

Don't torrent applications released from 2018 and later (unless you're willing to install the OS patch that slows your intel CPU by up to 30%).

Also stop using chrome.

yeah it's not a problem if you get all your programs from a package manager or compiled from source either.

great, by applications do you mean .exe s like hentai games or files in general? Do I not get to download new films at all unless I update my pirated Win7? Is Linux affected?

Firefox is slow, rusted out garbage by today's standards and needs a completely rewritten engine. Use Ungoogled Chromium if you're a tinfoiler freetard.

Firefox is still mostly single-threaded, and has only recently started to separate certain parts into separate processes with e10s. Firefox is the Adblock Plus of internet browsers (ie. it had its place in history, but it's now way slower than the alternative). The number of tabs that Firefox needs to process in memory decreases the entire application's performance by approximately O(N^2). You will notice that the more tabs you open (and close, because Firefox frequently fails to garbage collect), the slower your entire Firefox UI gets, forcing you to restart the browser when it gets unbearable. Meanwhile, Chromium, which separates each tab into separate processes, decreases in performance by approximately O(N logN) which is a fuck load better when you have a substantial number of tabs open, with the trade-off of slightly higher memory usage per tab due to runtime design limitations by the OS (microsoft never envisioned that common programs, beyond server/enterprise programs, would split into separate processes and communicate with each other).

essential Ungoogled Chromium extensions that you'll have to install manually by dragging into extensions page:

uBlock Origin
Center images
Blank New Tab Page
Sinax TabList
Tampermonkey (follow these instructions for Anti-Adblock Killer

applications meaning executable binaries. videos and pictures and shit just get decoded by a video player, they are very difficult to turn into executables.

Your pirated Win7 is literally spying on you. Install Linux.

Linux distros use package managers guaranteeing that you get your programs from a trusted source. The only way for this kind of malicious code to get onto Linux is through internet browser exploits (or some other vector). Update your browser and it's not a problem.

No it isn't, the Quantum project makes it just as fast as Chrome, and it's only going to get faster and more secure. It has tab content isolation now and multithread and multiprocess.

Ungoogled Chromium isn't terrible or anything, but don't spread FUD. Firefox is the best option in most distros' default packages.

On a single tab. Which means fuck all when we're talking about multiple tabs.

No it does not. You just made up that term because you will not find "tab content isolation" anywhere in Electrolysis' documentation. Please actually look into how Electrolysis (e10s) works. What Electrolysis does is separate the UI, "web content" (all tabs), media content (HTML5 videos) and extensions into their own separate processes. While this is a significant improvement from before, one tab can still bring down all your other tabs as it's all in the same "web content" process.

Performance-wise, FF remains worse than Chromium.

You will need to trust the person who is distributing the program. Huge problem for servers, corporate workstations, ATMs, etc. but not so much for ordinary people who don't do many security-sensitive activities. Personally I think the risk from Meltdown is too low that I'm opting to avoid hampering my i7 CPU's performance with the patch on my home computer unless they release a better patch where any performance loss is unperceivable.

It's possible to inject code into media files that exploits bugs (aka "security holes") in media file viewers (ex. MPC-HC, VLC, internet browser, PDF viewer). Just keep your media file viewers up to date.

It's just as affected as Windows. They've released a patch (look up KPTI) starting from kernel 4.15 and 4.14.11.

"Some other vector" can include vulnerable media file viewers that run infected media files.

Telemetry can be removed from Win7 but not Win10.