PKR
Veteran
Meltdown and Spectre Side-Channel Vulnerabilities
Original release date: January 03, 2018 | Last revised: January 04, 2018
US-CERT is aware of a set of security vulnerabilities—known as Meltdown and Spectre—that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.
Users and administrators are encouraged to review Vulnerability Note VU#584653, Microsoft's Advisory(link is external), and Mozilla's blog post for additional information and refer to their OS vendor for appropriate patches.
US-CERT is not aware of any active exploitation at this time. Additional information as it becomes available will be available on the following webpage: https://www.us-cert.gov/Meltdown-Spectre-Guidance
See the web site for links to details..
https://www.us-cert.gov/ncas/curren...down-and-Spectre-Side-Channel-Vulnerabilities
CNN
http://money.cnn.com/2018/01/03/technology/computer-chip-flaw-security/index.html
http://news.trust.org/item/20180105113731-wb5kp
Don't forget to look for patches for your smart phone!
I won't comment further on this kind of thing. When I last did, I got into trouble with the management. So, please don't expect any response to questions directed to me. pkr
Original release date: January 03, 2018 | Last revised: January 04, 2018
US-CERT is aware of a set of security vulnerabilities—known as Meltdown and Spectre—that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.
Users and administrators are encouraged to review Vulnerability Note VU#584653, Microsoft's Advisory(link is external), and Mozilla's blog post for additional information and refer to their OS vendor for appropriate patches.
US-CERT is not aware of any active exploitation at this time. Additional information as it becomes available will be available on the following webpage: https://www.us-cert.gov/Meltdown-Spectre-Guidance
See the web site for links to details..
https://www.us-cert.gov/ncas/curren...down-and-Spectre-Side-Channel-Vulnerabilities
CNN
http://money.cnn.com/2018/01/03/technology/computer-chip-flaw-security/index.html
http://news.trust.org/item/20180105113731-wb5kp
Don't forget to look for patches for your smart phone!
I won't comment further on this kind of thing. When I last did, I got into trouble with the management. So, please don't expect any response to questions directed to me. pkr
brbo
Well-known
Meltdown patches have been rolled into Windows, macOS and Linux kernel updates. Apply them! NOW!!!
Everybody is still wide* open to Spectre attack. If you have a C compiler on your computer, you can test if you are vulnerable (well, you are).
* There has been some effort put into some browsers (Firefox and Edge, Safari and Chrome should follow soon) to make remote Spectre attack a bit harder.
Everybody is still wide* open to Spectre attack. If you have a C compiler on your computer, you can test if you are vulnerable (well, you are).
* There has been some effort put into some browsers (Firefox and Edge, Safari and Chrome should follow soon) to make remote Spectre attack a bit harder.
Steve M.
Veteran
Well, it's not like I have any sensitive information for anyone to exploit! All of my credit cards, as well as my debit card, are protected by 100% guarantees from my providers in cases of fraud or theft, and my email is fastmail, an Australian outfit that will not honor US Justice Dept subpoenas for data or web history. Every now and then throughout each month I log in and ck my financial activity (such as it is) on the websites. No worries, all is OK. The one time someone did hack an account of mine, the charges were immediately removed by my credit card company. Just clear your cookies, history and cache often. It's also helpful to avoid browsers like Chrome and Firefox and use obsolete (and clean and fast) browsers like Pale Moon and SeaMonkey because so few people use them they are not targets for hacks. My gut feeling is that all of these alerts from various places are akin to Chicken Little's cries of a falling sky.
Microsoft would be the LAST company I would trust to protect me anyway. They, and companies like google, are nothing more than legally protected snoops and thieves.
Microsoft would be the LAST company I would trust to protect me anyway. They, and companies like google, are nothing more than legally protected snoops and thieves.
Ronald M
Veteran
Ah men.
Will add that the "open ports" discovered are left open by Microsoft are that way by behest of the government so they can get into your machine as required. So I read a few weeks back.
I will not buy another Microsoft OS computer if it were the only thing available. My photo computer is never connected to the internet except to handshake with Adobe monthly. Nothing of value is on my mail computer. Key chain has no passwords to banks and brokers. Pain but better safe than sorry.
The problem seems to be the design of chips so the computer can perform multiple operations at one time. This is a feature to allow the machine to run faster. Slow down will be the result.
Read yesterday every device in the world is vulnerable and no patches are sufficient. The operating chips have to be replaced. Who pays???
charjohncarter
Veteran
For us that speak English what does this mean?
Brian Legge
Veteran
Basically, Intel cpus themselves have a vulnerability that allows applications to read and write memory they shouldn't. That means programs that should have limited access could potentially do anything to a affected computer. It's a big vulnerability for hackers to exploit.
It is an unpredicted side effect of optimizations Intel made to their cpus run faster combined with how OSs provide instructions to the CPU.
OSs can work around the issue by providing different instructions. Unfortunately, this 'undoes' the optimization in some cases. Depending on how much a program makes particular calls to the OS, a program may be up to 30% slower.
Because this is an issue at such a low level and as it potentially could cause really bad hacks, it's a big deal. The 'real' fix will likely require CPU hardware changes by Intel. The OS patches are workarounds.
It is an unpredicted side effect of optimizations Intel made to their cpus run faster combined with how OSs provide instructions to the CPU.
OSs can work around the issue by providing different instructions. Unfortunately, this 'undoes' the optimization in some cases. Depending on how much a program makes particular calls to the OS, a program may be up to 30% slower.
Because this is an issue at such a low level and as it potentially could cause really bad hacks, it's a big deal. The 'real' fix will likely require CPU hardware changes by Intel. The OS patches are workarounds.
Pioneer
Veteran
We are just SOL John. Grab a beer and some chips and sit back and watch the fun.
Scapevision
Well-known
and shoot some squirrels while you at it 
charjohncarter
Veteran
I'll take your advice, I don't understand any others.
Spanik
Well-known
Meltdown is Intel specific (all cpu's since 1995! except Itanium) and a single ARM cpu. Spectre has 2 variants. One all cpu's (Intel, AMD but also ARM as used in phones and other internet connected stuff), the other only on some cpu's. This is a pure hardware issue, all software patches are just that, a patch that is likely to cost performance. Only real solution is new hardware but that isn't available now.
So all the talk about using another email provider or no windows or specific browsers is not going to help you for this ones. Apple already has confirmed all its hardware is vulnerable and patches are provided or on the way. For linux there is already a Meltdown patch, as those for windows are being rolled out.
So all the talk about using another email provider or no windows or specific browsers is not going to help you for this ones. Apple already has confirmed all its hardware is vulnerable and patches are provided or on the way. For linux there is already a Meltdown patch, as those for windows are being rolled out.
BillBingham2
Registered User
Anyone interested in buying a slightly used CPM system?
B2 (;->
B2 (;->
PKR
Veteran
Update on Meltdown and Spectre
Tl;dr: Yesterday a new class of attacks against modern CPU microarchitectures was disclosed to the public at large. Coinbase has taken and will continue to take measures to keep your funds and your data safe. All customer funds remain unaffected. Please make sure you update your operating systems with the latest security patches and follow browser recommendations (chrome, firefox, IE/Edge) to mitigate the impact of these bugs on your systems.
AND.. JavaScript:
"Unfortunately, it is likely that this same class of vulnerability could be exploited by malicious JavaScript running in your browser to steal data from other open or recently open browser tabs. This data might include things like cookie values, credentials, PII or similar. Browser vendors are doing a few things to help mitigate this issue, but not all of those updates are ready yet. Coinbase also follows a number of best practices that limit the potential impact on our users, including the use of HTTPOnly cookies, SameSite cookies and anti-CSRF tokens."
There is more here: https://engineering.coinbase.com/update-on-meltdown-and-spectre-45d344c47b5
These are money people; they will stay up with the latest info.
pkr
Tl;dr: Yesterday a new class of attacks against modern CPU microarchitectures was disclosed to the public at large. Coinbase has taken and will continue to take measures to keep your funds and your data safe. All customer funds remain unaffected. Please make sure you update your operating systems with the latest security patches and follow browser recommendations (chrome, firefox, IE/Edge) to mitigate the impact of these bugs on your systems.
AND.. JavaScript:
"Unfortunately, it is likely that this same class of vulnerability could be exploited by malicious JavaScript running in your browser to steal data from other open or recently open browser tabs. This data might include things like cookie values, credentials, PII or similar. Browser vendors are doing a few things to help mitigate this issue, but not all of those updates are ready yet. Coinbase also follows a number of best practices that limit the potential impact on our users, including the use of HTTPOnly cookies, SameSite cookies and anti-CSRF tokens."
There is more here: https://engineering.coinbase.com/update-on-meltdown-and-spectre-45d344c47b5
These are money people; they will stay up with the latest info.
pkr
ptpdprinter
Veteran
My first computer was a CPM-based Kaypro. Alas, there was no browser. Come to think of it, there was no internet. Dial up modems came much later. Then hacking.
ColSebastianMoran
( IRL Richard Karash )
John, my take:
- It's a serious security flaw, present in most modern chips
- Take the updates from your vendors (hardware and browsers)
- Don't install software from anyone but known reputable players
- Don't browse to weird sites
All this, and you are probably OK.
charjohncarter
Veteran
Thank you, Rick, English is my first language so I needed an interpreter.
maigo
Well-known
Commodore 128? Nice... keep it otherwise... seller's remorse.
Sent from my iPhone using Tapatalk