It's time fore everyone to panic (Meltdown&Spectre CPU "bug")

[Loren Pechtel]

Not good. Perhaps sticking to known safe sites, not opening dodgy links, etc, may help?

The biggest threat these days is ads.

 

[DBT]

Not good. Perhaps sticking to known safe sites, not opening dodgy links, etc, may help?

The biggest threat these days is ads.

I've got an ad blocker plus the Firefox setting. If nothing else, it makes Internet browsing more pleasant.

 

[barbos]

There are reports that patches from Microsoft cause horrible drops in performance. And Intel does not plan to patch CPUs which are older than 5 years. It looks bad. In linux at least you can rely on official and open source software. In windows you have to rely on OS for protection which does not seem have much of it.

 

[barbos]

Not good. Perhaps sticking to known safe sites, not opening dodgy links, etc, may help?

The biggest threat these days is ads.

With these you have certain level of control by exercising simple precautions. With Spectre there is no adequate fix and there is very little you can do short of disabling java,

 

[DBT]

There are reports that patches from Microsoft cause horrible drops in performance. And Intel does not plan to patch CPUs which are older than 5 years. It looks bad. In linux at least you can rely on official and open source software. In windows you have to rely on OS for protection which does not seem have much of it.

So is Linux offering these software patches in the normal course of updates we get daily or do users have to go to the website and download these separately?

 

[barbos]

I got the impression such a thing could be detected. Not prevented but detected. Complete prevention may close the door to risk, but because detection is possible,

I thought about that too. Processes trying to use Spectre generate a lot of cache misses and can be detected because of that, but I am not sure CPUs keep that statistics.

the concern, though important, doesn't come across as an immenent crisis spelling doom.

A concern, a big deal, sure, but panic creating, not so much.

It's worse than you think, I think.

 

[barbos]

There are reports that patches from Microsoft cause horrible drops in performance. And Intel does not plan to patch CPUs which are older than 5 years. It looks bad. In linux at least you can rely on official and open source software. In windows you have to rely on OS for protection which does not seem have much of it.

So is Linux offering these software patches in the normal course of updates we get daily or do users have to go to the website and download these separately?

Yes, it's a normal course of updates. Firefox released temporary fix for Spectre few days ago. Now there are fixes in standalone java packages.
What I meant is, if you use use official linux distributions (and this is almost always the case) you are safe from rogue software being installed.
So the only real practical case to get to you is through java code on some web page which is what Spectre can do.
In case of Windows people run programs downloaded from websites all the time without any regard for security. So in practice, situation in Windows is bad with or without this new threat.

In short, Spectre is a bad news for high security systems , which no longer are. Low security systems were fucked to begin with. I think people at NSA are shitting their pants as we speak.

 

[Tigers!]

Maybe it is time to dust off my old computer with that Z80H running at 10Mhz.

 

[barbos]

Just got an idea on how to fix this mess. more aggressive ASLR using inside executables could force attacker to guess how code is located.

By the way, for their proof of concept to work they had to disable ASLR. which is ON normally. So real life is harder for Spectre.