This might be one the biggest crises in the history of information technology. A security flaw among processors using "speculative execution" — that is, virtually every unit produced since the late '90s — was just recently discovered by independent research teams.
The hardware bugs are nicknamed Meltdown and Spectre — and if the former is patchable at the significant expense of computing power, the latter simply cannot be corrected right now and is likely to remain a hazard until the next generation of hardware is introduced. This might take a decade.
The exploits allow malicious software to access pretty much any data loaded into your computer memory — passwords, emails, documents and anything a piece of software from web browsers to anti-malwares might need to store into RAM.
Everyone is concerned by the security flaw, regardless of the device (smartphone, laptop, desktop computer, web server, etc) or operating system (Windows, Mac OS, Linux) you might use. Whether or not this exploit has already affected you cannot be determined as the it doesn't leave any trace behind.
Imagine this being what topples capitalism. Straight up cyberpunk levels of collapse with the reduced computing to patch this. Craaaazy.
Blake Campbell
It appears certain AMD processors are not affected by meltdown. Not sure if AMD is safe from specter. Linux kernel commit notes show that the performance degrading fix is disabled when an AMD processor is detected.
These security flaws probably impact cloud providers/users the most especially if providers rent shared hardware. An attacker could have his VM read the memory of another VM if they are running on the same bare metal machine. The next question is how or if the industry will exchange performance for security.
Thomas Wood
Things are already going to shit, actually
Michael Young
Correct, AMD processors are not affected by Meltdown but they are by Spectre — the worst of both.
Samuel Sullivan
Isn't this an NSA backdoor?
Juan Perry
...
Jason Reed
Joke's on them, I don't have any money to steal anyways.
Sebastian Stewart
Yeah. Intel is a "computer manufacturer" in the same way Lockheed Martin is an "airplane manufacturer". What worries me is that this is being allowed to come out rather than the researchers disappearing in the night, which to me says that they already have something far more effective in place that we don't know about.
Asher Lewis
Well the good ting is that this means there will be more leaks and shit. Good thing I don’t have sensitive data on my computer.
Dylan Kelly
If powers that be were that competent, we wouldn't be here.
This is always the case, NSA and CIA hoard these kinds of things. On top of that, they were sitting on this one for months. That said, Spectre really does take the cake, it is a remarkably evil bug.
Gabriel Robinson
is there any processor which doesn't have this bug?
Nolan Bell
Feels good not to be cucked by western capitalism and the accompanying police state.
Brody Peterson
Spectre affects all hardware and OSs.
Zachary Lewis
my dude, I just ran the spectre test on my new Ryzen chip and it worked.
Nathan Howard
explain this to a brainlet
Adrian Martin
yeah like the first Pentium.
Robert Jones
How about noscript?
Ryan Mitchell
ublock and umatrix or javascript or spectre? for ublock and umatrix, look up their manuals and guides. javascript is a programming language that runs in your browser. whenever you load up a webpage, it runs random javascript programs you download from it. spectre basically lets those programs break out of the browser and steal your info.
probably fine but isn't it obsolete compared to umatrix?
Henry Thomas
Just FYI, since Holla Forums does NOT run on a cloud server, it is less vulnerable to Spectre. It's cloud services like Amazon that are totally buttfucked by it.
Dylan James
I've been hearing this bullshit about THE END OF THE CYBERWORLD since John fucking Mcafee blew his hot drug filled load in the early 90's warning of the VIRUS OF ALL VIRUSES
I've been told this the last 7 years more consistently that I just don't give a shit. I don't care the NSA knows that I have my phone near me when I'm wrecking my butthole with a dildo, I don't care that they see me naked, I don't even care if this leads to my doxxing and death
I am so tired of these doomsday scenarios that I refuse to believe they're real. Boy who cried wolf too many god damn times.
Brody Myers
Only technologically obsolete processors you're unlikely to have ever approached in your whole life unless you're 30+.
Jacob Wright
You're all a bunch of cowards, let them spy on you. Be someone's entertainment. Hey, let them destroy your computer, it might improve your life!
Too bad this is going to be another whole bunch of nothing hyped to hell by paranoid internet dweebs who can't tell the forest from the trees/can't tell net neutrality from the boy who's cried wolf so many times he might as well have been killed out of annoyance by the local populace.
Jaxon Miller
Nobody's saying this is "the end of the cyberworld", just that it's a far-reaching security crisis with very serious implications.
Brandon Brooks
dude, you hear about it all the time because capitalism makes it so that there's no profit incentive to make secure software and hardware. it's just totally fucked, but this one genuinely is a lot worse than normal ones.
Bentley Mitchell
According to AMD their chips are completely unaffected.
Tyler Ross
You're clearly an idiot who has no clue what the whitepaper is talking about. Spectre is genuinely bad.
David Hill
No, they only said that about Meltdown. I repeat, I have personally tested Spectre on my AMD hardware and it's vulnerable.
Isaiah Gomez
But what if it wrecks your bank account? Then you can't buy any more dildos and ain't that a fate worse than death?
Luis Davis
Hearing about this is more tiresome than drinking gin. Both are bound to happen, both taste like shit, you promise you won't look at the bottle again and in your gut you feel the same annoyance that it's always there, always yelling at you about the next cyber security thread
I have been so desensitzed by this bullshit that I wouldn't care if whatever I say here gets me arrested.
I don't care who does this or what it is for but if they have a folder of my nudes I hope they fucking enjoy it.
Gavin Lee
That's only Meltdown. Pretty much all of your devices are vulnerable to Specter.
Alexander Anderson
Why would it be a fate worse than death if I already have dildos
Andrew Diaz
No it's just another example of America ruining fucking everything.
Isaac Bell
nibba you aint charles bukowsky
Samuel Miller
Just shut up then faggot, why are you even here?
Joshua Ramirez
Shut the fuck up you tired lizard like man.
John Richardson
And you aren't William Gibson
Jeremiah Miller
...
William Gonzalez
To tell you that if you thought anything different was happening you're an idiot.
Adrian Lopez
I'm Thomas Pynchon
Jackson Rogers
So why read any news? Once you read one story about capitalist exploitation, no point reading any more, right?
Mason Stewart
Why are you so upset I'm laughing at you that you didn't expect the obvious. Oh I know why, it's because you're a baby.
Kevin Martin
my dad is a police car
Aiden Collins
Wrong!
Jacob Harris
The obvious is that there will always be more exploits. Wow, you're a real fucking Cassandra.
Mason Walker
My mom fucked your dad, I'm a hybrid of both man and machine
Aiden Jones
No No No No, wrong wrong wrong
You can't take back what I'm laughing at your hysteria over the obvious for back to me that's silly
Owen Jenkins
>>>/discord/ >>>/podcasts/ >>>/circlejerk/
Jayden Murphy
u dumb fucks this whole thing is a shill to get u to buy amd how fucking stupid can u commie cunts be
Ian Anderson
It effects AMD, fuck off.
Adrian Baker
>>>/g/
Matthew Rogers
but it affects AMD as well you cuck
Wyatt Torres
But it can be patched without causing massive slowdowns. That's the rub.
Cameron Wood
No it can't, Spectre has no patch as of now. You're thinking of Meltdown. RTFA, RTFT.
Michael Hill
You're talking about Meltdown, not Spectre. Spectre is a hardware-specific issue, it can't be solver through patching.
Tyler Garcia
Thank you NSA for protecting our freedoms from terrorists dog bless ameriga : DDD
Austin Butler
This is like watching 3rd graders argue about who's stronger Wolverine or Yoda
Connor Mitchell
fuck off retard.
Sebastian Barnes
A thread about computer security gets derailed. Cointelpro in action?
Both are hardware issues, spectre has no fix now or for the foreseeable future.
Levi Allen
what's with all the retards in this thread in particular
Adam Taylor
The brice of freedom.
Connor Barnes
...
Liam Cooper
It could be NSA meddling or it could be pursuing performance/profit without regard to security. Or both
Benjamin Nelson
FREEDOM AIN'T NOT FREE- NOT MARTIN LUTHER KING JR
Daniel Williams
So they don't use AMD or intel? Seriously?
Dylan Adams
Do they use branch prediction? Probably.
Wyatt Powell
I know that at least Russia produces it's own domestic processors. They have a lot of domestic protectionism laws.
Asher Sanders
Most likely both. The NSA/US federal government apply extreme pressure on any tech company that refuses to cooperate with them. It's in their best interest to just give the government what they want.
Andrew Jackson
What the fuck are you on? Do you believe current-day Russian or North Korean CPUs somehow don't use speculative execution?
Gabriel Williams
shoulda taken the noscript pill homie I told you real neighbors block everything
Ian Evans
The real winners are the govts who bought a bunch of typewriters and made their top secret shit move back to paper.
Brandon Bell
I thought that was just Spectre 1 which already got patched
Henry Stewart
Reminder that a US-sponsored cyberattack on Iranian nuclear facilities managed to ruin one out five of their uranium centrifuges — it was called the Stuxnet worm.
Yes there is. Pic related. Variants 1 and 2 are part of the spectre exploit. Variant 3 is meltdown which as far as I know only affects Intel.
Blake Kelly
None of exploits listed in that article are Spectre. There is proof of concept code in the Holla Forums thread: >>>Holla Forums847282 >>>Holla Forums847304 >>>Holla Forums847313 >>>Holla Forums847329 >>>Holla Forums847330 >>>Holla Forums847336 >>>Holla Forums847339 >>>Holla Forums847340 >>>Holla Forums847374 >>>Holla Forums847377 >>>Holla Forums847378 >>>Holla Forums847418 It has been tested and is proven to work on numerous AMD and Intel chips. There IS NO SOFTWARE UPDATE as of yet, and possibly won't be one at all.
This clarifies somewhat, and explains AMD's extremely cocky attitude. SO FAR, Spectre on AMD can only access memory within a process. This means it is not a major problem for AMD servers right now, but it is still a major problem for us, because it can run as a browser exploit. AMD claims that OS and software updates can fix it, but browser and OS vendors have not pushed patches that eliminate this problem yet. As well, we still don't know this bug can't be slightly re-engineered to get full coverage on AMD.
Jacob Garcia
But those processors doesn't have any aslr. That was before we have to worry about randomizing kernel boot calls. My x200 on gentoo hardened seems to be safe from specter for the time being. I'm not sure about Meltdown. I'm more concerned about Meltdown, Is there any proof of concept code for that? I'll look into the papers again tomorrow.
Jaxon James
How do I protect myself beside using common sense? I want to update windows but I will also need an arsenal of anti telemetry
you could have just copy and pasted " 2018-01 Security Only Quality Update for Windows" by the way
John Brown
Well for 1 you can stop using windows, I don't understand the idea that you don't want to be spied and will jump through hoops to fix an unfixable OS yet won't try anything else. But there will be security patches for Meltdown, but Spectre its aptly named as there is no fix for it until new processors are made, so until then install scriptblockers and don't download malicious programs.
Ryder Price
I don't know about him, but some online games I play are Windows only and don't quite work right with Wine. My personal solution was have a gaming desktop I dual boot for games and laptop running Debian for everything else. I wish Windows would just die.
Time to learn how to dual boot. Gotta look out for my vidya, unfortunately. Otherwise, I'd drop the microshit meme already.
Oliver Parker
so he has ads on his website? that's it?
Nathaniel Green
can I use that without the million previous updates? I never update
Jaxson Bell
They're malicious ads.
Kayden Murphy
just don't go on the website and keep on using the extension.
Brody White
The whole point is, why the hell would you trust this guy to send updates to your browser extension if he deliberately puts virus downloads on his site?
Jack Cox
I don't use updates. and just because he's doing this one dumb thing for money doesn't mean the entire thing is useless.
I'm no expert in CPU architecture, but Im pretty sure you can't predict iranian proc have the exact same issue than intel ones
Nathaniel Gutierrez
It's very unlikely those CPUs don't use the computation techniques that allow the flaws to be exploited, such as speculative execution. Virtually every unit produced starting in the late '90s has those features, why would Iran's be different? That would be like assuming Iranian mouses somehow don't have a right click button.
David Hall
There is a Spectre haunting the whole world…
Cameron Cruz
Laughs in Ryzen
Justin Gutierrez
Uh, no. Meltdown is the worst of the duo, you dimwit. Spectre can be patched at a software level, while Meltdown can only be somewhat controlled by a kernel patch, and even then, it's barely even a band-aid.
Brayden Smith
...
Cameron Moore
Put this into the oc thread.
Noah Jackson
Just update Firefox and Chrome and you won't get affected by JS Spectre scripts.
Don't torrent applications released from 2018 and later (unless you're willing to install the OS patch that slows your intel CPU by up to 30%).
Logan Bell
Also stop using chrome.
Alexander Ross
yeah it's not a problem if you get all your programs from a package manager or compiled from source either.
Jason Torres
great, by applications do you mean .exe s like hentai games or files in general? Do I not get to download new films at all unless I update my pirated Win7? Is Linux affected?
Ryder Parker
Firefox is slow, rusted out garbage by today's standards and needs a completely rewritten engine. Use Ungoogled Chromium if you're a tinfoiler freetard.
Firefox is still mostly single-threaded, and has only recently started to separate certain parts into separate processes with e10s. Firefox is the Adblock Plus of internet browsers (ie. it had its place in history, but it's now way slower than the alternative). The number of tabs that Firefox needs to process in memory decreases the entire application's performance by approximately O(N^2). You will notice that the more tabs you open (and close, because Firefox frequently fails to garbage collect), the slower your entire Firefox UI gets, forcing you to restart the browser when it gets unbearable. Meanwhile, Chromium, which separates each tab into separate processes, decreases in performance by approximately O(N logN) which is a fuck load better when you have a substantial number of tabs open, with the trade-off of slightly higher memory usage per tab due to runtime design limitations by the OS (microsoft never envisioned that common programs, beyond server/enterprise programs, would split into separate processes and communicate with each other).
applications meaning executable binaries. videos and pictures and shit just get decoded by a video player, they are very difficult to turn into executables.
Your pirated Win7 is literally spying on you. Install Linux.
Linux distros use package managers guaranteeing that you get your programs from a trusted source. The only way for this kind of malicious code to get onto Linux is through internet browser exploits (or some other vector). Update your browser and it's not a problem.
Evan Myers
No it isn't, the Quantum project makes it just as fast as Chrome, and it's only going to get faster and more secure. It has tab content isolation now and multithread and multiprocess.
Ungoogled Chromium isn't terrible or anything, but don't spread FUD. Firefox is the best option in most distros' default packages.
Nolan Adams
On a single tab. Which means fuck all when we're talking about multiple tabs.
No it does not. You just made up that term because you will not find "tab content isolation" anywhere in Electrolysis' documentation. Please actually look into how Electrolysis (e10s) works. What Electrolysis does is separate the UI, "web content" (all tabs), media content (HTML5 videos) and extensions into their own separate processes. While this is a significant improvement from before, one tab can still bring down all your other tabs as it's all in the same "web content" process.
Performance-wise, FF remains worse than Chromium.
Ryan Torres
You will need to trust the person who is distributing the program. Huge problem for servers, corporate workstations, ATMs, etc. but not so much for ordinary people who don't do many security-sensitive activities. Personally I think the risk from Meltdown is too low that I'm opting to avoid hampering my i7 CPU's performance with the patch on my home computer unless they release a better patch where any performance loss is unperceivable.
It's possible to inject code into media files that exploits bugs (aka "security holes") in media file viewers (ex. MPC-HC, VLC, internet browser, PDF viewer). Just keep your media file viewers up to date.
It's just as affected as Windows. They've released a patch (look up KPTI) starting from kernel 4.15 and 4.14.11.
"Some other vector" can include vulnerable media file viewers that run infected media files.
