Security alert - "Meltdown" and "Spectre"

[robkelk]

No doubt everybody's heard the news reports about the newly-discovered security flaw in Intel chips. Guess what: there's two of them; "Meltdown" and "Spectre". And the same security flaw is in Arm Cortex CPUs - which are probably in your cellphone. A similar flaw also exists in AMD chips; they aren't vulnerable to Meltdown, but nobody's willing to say whether they're vulnerable to Spectre. EDIT: Update: They're vulnerable.

Patch your OS, no matter what you run (MacOS, Android, Linux, Windows, whatever).

If you use Chrome, patch it and turn on site isolation.

If you use Firefox, turn on site isolation.

If you use Xen Hypervisor, patch it.

If you use VMWare, patch it.

And if you have a password manager on your cellphone or you let your browser store your passwords... change all your passwords, and don't store the new ones in your password manager or your browser.

[Dartz]

More hilarious is Intel's response, which basically boils down to 'Yeah, it's supposed to do that and we can't fix it. Other people might have the same problem. Now keep paying exorbitant prices for our stuff'

After their CEO sold off a fuckton of their stock.
Long after he would've known about the bug.

[LynnInDenver]

And if you have a password manager on your cellphone or you let your browser store your passwords... change all your passwords, and don't store the new ones in your password manager or your browser.

In other words, we're right back to "write down those passwords, or try to make them easier to remember". The former which we're never, ever supposed to do. The latter which can make a password easier to brute force. And, as always, complicated by the need to use a different password for each and every site one is on.

(Do note: I don't store passwords on my phone, and indeed, I refuse to do my banking via my phone.)

[Labster]

Aaaaactually, writing down passwords is fine, if you can keep them in a safe place. That advice about not writing down is mainly for people who think yellow sticky notes on the desk are acceptable places to keep passwords.

I'm really not sure where the cell phone password advice is coming from -- most cell chips are on ARM and Spectre isn't all that exploitable yet. That sounds a little like sky-is-falling paranoia.

The only problem being that the sky is actually falling. Every general-purpose CPU designed in the last 10 years is vulnerable, and there's no real solution available. There are some workarounds, which mostly involve slowing down your computer by 5-30%. Everyone from hardware designers to compiler writers to web browsers to web designers are affected. On the upside, games are probably the least affected of all, because they don't do a lot of kernel calls.

I guess, uh, just pretend like computers are the U.S. election system. We know that they can be all be infiltrated by Russian hackers, but let's just keep on using the system as if everything is fine, because the alternative is much worse.

Can I just add that CPU design is really, really hard? They have to deal with speed-of-light limits, thermal runaway, chemical purity, and a ton of other engineering problems on a super-tiny wafer.

[LynnInDenver]

Aaaaactually, writing down passwords is fine, if you can keep them in a safe place.  That advice about not writing down is mainly for people who think yellow sticky notes on the desk are acceptable places to keep passwords.

Yeah, I get that part of it is because, if you don't go "NO BAD", there is the contingent that thinks it's fine to have passwords out in plain sight, rather than in a folder in the locked filedrawer that you have to roll backwards to access.

I'm really not sure where the cell phone password advice is coming from -- most cell chips are on ARM and Spectre isn't all that exploitable yet.  That sounds a little like sky-is-falling paranoia.

I mostly don't bank via my phone for other reasons... part of them having to do with "can clone your SIM card then use that to drain your bank account", and partly because "lose my phone and someone potentially gets access to my account data".

The only problem being that the sky is actually falling.  Every general-purpose CPU designed in the last 10 years is vulnerable, and there's no real solution available.  There are some workarounds, which mostly involve slowing down your computer by 5-30%.   Everyone from hardware designers to compiler writers to web browsers to web designers are affected.  On the upside, games are probably the least affected of all, because they don't do a lot of kernel calls.

Yeah, I'm NOT looking forward to the solutions for this, mostly because I'm sure this is going to wind up with me having to upgrade my computer - some of the parts in it are over five years old, so I'm expecting to take a speed hit when the update comes out on Windows 7, and I'll probably be forced to finally look at what it'll take to move over to Linux for my "daily driver". I play games and fiddle with Poser, so that's not going to be an easy thing to accomplish.

I guess, uh, just pretend like computers are the U.S. election system.  We know that they can be all be infiltrated by Russian hackers, but let's just keep on using the system as if everything is fine, because the alternative is much worse.

Can I just add that CPU design is really, really hard?  They have to deal with speed-of-light limits, thermal runaway, chemical purity, and a ton of other engineering problems on a super-tiny wafer.

I get that design is really hard. There have been rumblings that the way performance is optimized is going to have to change, and that no one is going to be happy because it's likely there will have to be compromises on how much performance can be gained.

[robkelk]

...
I'm really not sure where the cell phone password advice is coming from -- most cell chips are on ARM and Spectre isn't all that exploitable yet.  That sounds a little like sky-is-falling paranoia.

The only problem being that the sky is actually falling.  ...

Yeah, that's the thing. Some people really do have a wolf to worry about, so this cry of "wolf!" is real for them. (It's definitely real for those of us who store passwords n their desktop or laptop browsers.)

Oh, yes - patch your systems before changing your passwords. If you do it in the other order, your new passwords will have been vulnerable to discovery and will need to be changed again.

[LynnInDenver]

...
I'm really not sure where the cell phone password advice is coming from -- most cell chips are on ARM and Spectre isn't all that exploitable yet.  That sounds a little like sky-is-falling paranoia.

The only problem being that the sky is actually falling.  ...

Yeah, that's the thing. Some people really do have a wolf to worry about, so this cry of "wolf!" is real for them. (It's definitely real for those of us who store passwords n their desktop or laptop browsers.)

Oh, yes - patch your systems before changing your passwords. If you do it in the other order, your new passwords will have been vulnerable to discovery and will need to be changed again.

More importantly, it's showing to those who have been warning that security is full of holes, that yes indeed, it is full of holes. Granted, this set of vulnerabilities looks like it requires just enough specialized knowledge that someone like me doesn't have to worry overmuch about J Random Criminal (it looks like enough of an effort they need to select higher value targets), but it's still looking more and more like all sorts of places need to go whitelist/offline. Part of the problem is going to be pursuading vendors that, no, sorry, security of the site takes a back seat to the desire to keep our installs checking in. (It's a bit of a fight with that where I work; printshop, we've got a couple of networks, the "prepress" side is kept off the internet except for the check-in every three months, and that's only because we have to keep the latest version handy for customer files.)

I haven't touched my passwords yet, in part because I am waiting for the Windows 7 patch to become available. I'm actually becoming more annoyed because I'm trying to select "high entropy" unique-to-site passwords, and yet I'm still being forced into the whole "reset all your damned passwords now" because of these sorts of things. I'll probably go ahead and do another round of "am I using this site often enough/getting something unique enough to justify keeping my account open there" purging.

[Labster]

Latestbug news: apparently some cheap Android phones, as well as the Raspberry Pi are completely unaffected because they're so underpowered. That is, they don't do any speculative execution.

Some workloads have increased quite a bit: Redis gets a 5% to 30% slowdown, ElasticSearch, etc.  So bad news on the caching layer, which might be the bottleneck for a lot of apps.  Cloud computing just got more expensive.

I still feel like there aren't any reasonable exploits for this publicly available.  That said, if you're the kind of person who might be targeted by a nation state, I wouldn't be surprised certain intelligence services have weaponized this exploit.  It's 17 years old now.  It's probably worthwhile to change passwords anyway.

But I'll wait until there's a fix available for El Capitan.  Apple pushed a patch for the 3 newest OS versions, and then figured out that it didn't actually fix the issue on anything except the newest version.  Oops.  Not that I'm going to upgrade to High Sierra if freaking htop regularly crashes the kernel.

It's just one of these days I wonder why I ever decided to take up computers for a living.

[LynnInDenver]

Latestbug news: apparently some cheap Android phones, as well as the Raspberry Pi are completely unaffected because they're so underpowered. That is, they don't do any speculative execution.

Good, so I don't have to worry about dealing with 4 systems here at the house. (3 media devices, and an emulation station.) That still leaves my computer, my husband's computer, possibly his editing computer, and the pinball simulator build (which is only hooked up for Steam right now, I might just change that now). I'm not worried about the MAME box, since that's deliberately NOT connected to the internet.

Some workloads have increased quite a bit: Redis gets a 5% to 30% slowdown, ElasticSearch, etc.  So bad news on the caching layer, which might be the bottleneck for a lot of apps.  Cloud computing just got more expensive.

That's going to be irksome. I have to wonder if that's going to cause Intel to lose quite a bit of share in the cloud space, since you can't NOT patch those boxes. And if the performance hit is serious enough you have to consider swapping out, it might be worth swapping to something that's at least not as vulnerable out of the gate.

I still feel like there aren't any reasonable exploits for this publicly available.  That said, if you're the kind of person who might be targeted by a nation state, I wouldn't be surprised certain intelligence services have weaponized this exploit.  It's 17 years old now.  It's probably worthwhile to change passwords anyway.

That's the impression I was getting, that it technically requires either an existing malware foothold, or physical access, or intimate knowledge of what you're attacking. That said, yeah, I'll be changing passwords AGAIN. And keeping a notebook in a drawer in the house somewhere instead of storing them on the computer.

But I'll wait until there's a fix available for El Capitan.  Apple pushed a patch for the 3 newest OS versions, and then figured out that it didn't actually fix the issue on anything except the newest version.  Oops.  Not that I'm going to upgrade to High Sierra if freaking htop regularly crashes the kernel.

We have one Mac in the house. Every time we've upgraded at work, I've had new reasons to not like Apple. Although the last upgrade we did at least cleared up the "rolling seas" network server update issues I had been having prior.

It's just one of these days I wonder why I ever decided to take up computers for a living.

Believe me, there's been days that, if someone handed me a Big Red Button that would kill all the computers, no takebacks, I'd have to be physically held back from actually pressing it.

[robkelk]

...
Believe me, there's been days that, if someone handed me a Big Red Button that would kill all the computers, no takebacks, I'd have to be physically held back from actually pressing it.

Meh. Just wait for another 1859-style solar flare, and nature will take care of that for us.

[Morganite]

On the upside, games are probably the least affected of all, because they don't do a lot of kernel calls.

At least games are the only thing that seems to push my system that hard to start with. `.`

Also, looks like you can get the patch for Windows 7 now, you just have to go through the update catalog website and download it manually.

-Morgan.

[hmelton]

I run across an article that gives a fairly easy to understand descriptive out line  of these two security flaws.

https://stratechery.com/2018/meltdown-sp...echnology/

I've actually discovered something close to the melt down flaw way back in 1984 on a old(even at that time.) Harris main frame that was used by the computer science students, Professors and the University's accounting department. 

The Harris Main frame was a multi-user system with up to 1023 user terminals that used "Dynamic Allocation" to divide up the  RAM and "very Fast"(for the time) disk memory. The allocation was very coarse and varied from user to user's time slice so their was always several kilobytes of memory allocated that wasn't written over by your data and program code when having it's slice of computing time.

I run across the flaw when I was writing programs for a machine language theory class, one of my assembler text handling programs had a flaw that kept generating terminals full of gibberish that often contained plaintext versions of other peoples  user name and password.

It didn't seem so bad at first, after all their wasn't usually more than twenty students with the clearance to use the Harris assembler, but a little later I began to think about Harris BASIC, Fortran and COBOL and run a simple test program with BASIC and Fortran.

Both version did not "zero" out variables when they were allocated and it was stated in the manuals that they would contain random gibberish. I followed those test program up with a couple of more test programs and discovered the flaw was actually worse with BASIC and not so bad with Fortran.

A Harris  BASIC programs method of execution and the ability to generate large arrays could give multiple snap shots of uncleared shared memory, while Harris Fortran only gave a single snapshot.

Harris Assembler was possibly the worst way to collect other records because it was allocated the smallest amount of uncleared memory and had the smallest buffers.

I've mostly kept up with the published works on CPU design and theory over the years and almost from the moment I understood  the idea I've been bothered by the use of speculative execution as a method of increasing computation speed.

 It wasn't until I started seeing hints and theories of what the Meltdown flaw was that I finally connected it to that old Harris main frame flaw and realized that's why "out of order speculative execution" has bothered me.

hmelton

[Inquisitive Raven]

Note, if you use Windows or Linux, not only do you need to get the operating system patched, you also need a firmware patch that must be obtained from your computer manufacturer. See here.

[LynnInDenver]

...and the latest version of my motherboard's BIOS is still listed as 2014. *sigh*

So, basically, to eliminate the vulnerability, I might as well disconnect it from the internet and buy a new machine once all the fallout settles.

[robkelk]

...and the latest version of my motherboard's BIOS is still listed as 2014. *sigh*

So, basically, to eliminate the vulnerability, I might as well disconnect it from the internet and buy a new machine once all the fallout settles.

For the first half-day that the CERT advisory was up, that was actually the recommended fix.

There are workarounds, mostly at the OS level. Re-flashing the BIOS is not an absolutely necessary step (although, assuming the new BIOS version is written properly, it doesn't hurt).

[hmelton]

Both vulnerabilities potentially allow any program executing on your computer to potentially read any portion of the computer's memory, as long as you have good or reasonable control over all the programs running on your computer not having a BIOS patch isn't a big problem.

For computers with multiple users all using it at the same time it's critical you have a BIOS update to go with the Operating System Update, but for a home user the BIOS update isn't as critical.

The computer running Drunkard's Walk Forum is an example of a computer system that needs it's BIOS update, because of the large number of users that need to have their passwords and other data  isolated from each other, while also allowing unknown and untrustworthy programs to run at the same time.

For a home user with a single family or single user the BIOS update isn't so critical because the programs are "relatively well" checked and "trusted' so that a operating system patch will make using the CPU flaw hard enough that security is brought back to what most consider acceptable levels.

There is however one HUGE source of untrustworthy programs running on home computers that I think require an additional patch.


From most home computer's point of view the Web Browser is the other major user of your computer and you absolutely must keep the web browser fully patched, but even a fully patched Browser also allows unknown untrustworthy "browser programs" to run, for example Flash and JAVA to name only two of a large number.

All these "browser programs" thanks to these two CPU vulnerabilities have the potential to bypass security and read areas where passwords and other sensitive data is stored.

So I'd recommend finding a web browser that has a Patch for the CPU flaw or failing that find a web browser that is fully patched for other flaws and turn off the browsers capability to download and run most other programs from the internet.
 
For a home computer with a patched OS layer and a Patched Browser layer it should make it nearly impossible for a program operating in the browser's layer or above to use the CPU flaw even when the BIOS is unpatched.

I'd personally be very careful what I let my Web Browser execute, even after getting a computer without these two CPU flaws.

Really you should have already had your web browsers security levels set very high limiting what can be executed.

I know their has been a large number of advertisement driven websites adding scripts that punish users that stop the loading of all the advertisement programs, but i personally think that websites that do that should be a red flagged telling you to stop visiting that site.

It has been demonstrated many times that advertisements, especially advertisements that use a lot of computing resources are a big vulnerability and it is wise to stay away from sites that demand a large amount of computing resources for advertisement.

Most security writers won't mention this, because it hits a little to close to home and their pay checks. 

The recent round of Bit coin miners using web site advertisement to load a resource hogging bit coin mining program and steal computing resources from hundreds of thousands of web browsers is a good example.

For most people the bit coin miner advertisement was an aggravation because it caused a medium to large slow down in their computers that "run" the advertisement that  persisted until the browser had shut down or in the case of Chrome until the computer was rebooted

I'm fairly paranoid so this "mining" slow down really bothers me because I can't help but worry that all those bit coin mining programs running in the  browser and slowing your computer to a crawl as they  "dig" for the few remaining  bit coins were actually digging for my credit card numbers and bank account info as it passed along my computer's passwords and encryption keys.

hmelton

[LynnInDenver]

From most home computer's point of view the Web Browser is the other major user of your computer and you absolutely must keep the web browser fully patched, but even a fully patched Browser also allows unknown untrustworthy "browser programs" to run, for example Flash and JAVA to name only two of a large number.

All these "browser programs" thanks to these two CPU vulnerabilities have the potential to bypass security and read areas where passwords and other sensitive data is stored.

So I'd recommend finding a web browser that has a Patch for the CPU flaw or failing that find a web browser that is fully patched for other flaws and turn off the browsers capability to download and run most other programs from the internet.
 
For a home computer with a patched OS layer and a Patched Browser layer it should make it nearly impossible for a program operating in the browser's layer or above to use the CPU flaw even when the BIOS is unpatched.

I'd personally be very careful what I let my Web Browser execute, even after getting a computer without these two CPU flaws.

Really you should have already had your web browsers security levels set very high limiting what can be executed.

I've been running ad blocking and script blocking for YEARS at this point. It makes the internet a much more pleasant place. Except for those sites that practically try to make you let everything run before they'll show you anything, but those are generally not worth sticking around for. I started running ad blockers when the only issue with online advertising was the insistence that it had to be so in your face that you were distracted from the "real" content... not to mention the constant arms race to force open another window and hide it under in order to obscure where you picked up that insane refuses-to-stay-closed advertisement that forces you to completely force-quit the browser to kill it. It's only in the past five to seven years that it's become increasingly used as an infection vector, which has ensured I've dug in my heels in terms of continuing to use it; the advertising market has pretty much shown they don't give a nit about the security, hence they're no longer allowed on my computer.

I know their has been a large number of advertisement driven websites adding scripts that punish users that stop the loading of all the advertisement programs, but i personally think that websites that do that should be a red flagged telling you to stop visiting that site.

If I can't see anything without killing my ad blocker, either by whitelisting their site, or disabling it entirely (I've seen both demands), I try not to return. Especially places like Forbes that have HAD malware served via their advertisements, and hence showing they're NOT LISTENING. And I'm doubly annoyed when that's the ONLY option presented; I'm a little happier when they present the added option of buying a subscription, which means they're at least doing the thinking of WHY people are running ad blockers, and presenting the other option for those who refuse to whitelist.

It has been demonstrated many times that advertisements, especially advertisements that use a lot of computing resources are a big vulnerability and it is wise to stay away from sites that demand a large amount of computing resources for advertisement.

Most security writers won't mention this, because it hits a little to close to home and their pay checks. 

I've kind of gotten to the point that I don't really think it's a good idea to see advertising as a way to make money. Would the internet become a much smaller place without it? Sure, it would. I'm not sure that's a bad thing given the costs of the requirements of the advertising market.

The recent round of Bit coin miners using web site advertisement to load a resource hogging bit coin mining program and steal computing resources from hundreds of thousands of web browsers is a good example.

For most people the bit coin miner advertisement was an aggravation because it caused a medium to large slow down in their computers that "run" the advertisement that  persisted until the browser had shut down or in the case of Chrome until the computer was rebooted

Cryptocurrency mining is a little better than advertising, but I'd still prefer the option to opt in or buy a subscription anyway. I'd prefer not to run other code on my computer like that, or at least if my computer is being used for mining, and I want it to be my own private mine, thanks.

I'm fairly paranoid so this "mining" slow down really bothers me because I can't help but worry that all those bit coin mining programs running in the  browser and slowing your computer to a crawl as they  "dig" for the few remaining  bit coins were actually digging for my credit card numbers and bank account info as it passed along my computer's passwords and encryption keys.

That's the other reason I don't want them to run cryptominers. Who knows what else is running alongside it.

[Inquisitive Raven]

It has been demonstrated many times that advertisements, especially advertisements that use a lot of computing resources are a big vulnerability and it is wise to stay away from sites that demand a large amount of computing resources for advertisement.

I started using and ad blocker because this one site that I visited regularly had animated ads that broke my browser. I find my web experience so much pleasanter without the advertising.

More recently, I discovered the EFF's browser extension, Privacy Badger which blocks third party trackers.

[Bob Schroeck]

...and the latest version of my motherboard's BIOS is still listed as 2014. *sigh*

Mine is 2015, but yeah, same *sigh* here.

[Labster]

Cryptocurrency mining is a little better than advertising, but I'd still prefer the option to opt in or buy a subscription anyway. I'd prefer not to run other code on my computer like that, or at least if my computer is being used for mining, and I want it to be my own private mine, thanks.

No, no, no.  Cryptocurrency mining is an ecological disaster.  Bitcoin uses approximately 0.20% of the world's energy supply, or approximately one Hong Kong.  Thirteen U.S. houses could be powered for a day for the cost of a single bitcoin transaction.  Bitcoin uses 5000x more energy per transaction than VISA.

Running web-based mining is even worse, because you're using a general purpose CPU instead of a GPU optimized for floating point calculations.  So you spend even more energy you don't notice.  And hey, if we stop doing Bitcoin maybe gamers can actually buy a decent graphics card?

I'm currently just running uBlock Origin, which blocks most trackers and ads with the default lists, and Decentraleyes.  Decentraleyes keeps cached copies of web libraries, so CDNs can't track which websites you visit that way.  This also speeds loading of JS-heavy sites. And protect against the CDN getting hacked, but that's mainly paranoia.  Paranoia seems to be prudent these days.

[LynnInDenver]

No, no, no.  Cryptocurrency mining is an ecological disaster.  Bitcoin uses approximately 0.20% of the world's energy supply, or approximately one Hong Kong.  Thirteen U.S. houses could be powered for a day for the cost of a single bitcoin transaction.  Bitcoin uses 5000x more energy per transaction than VISA.

I wasn't saying I was going to be running a mine anytime soon... just that I don't want anyone ELSE running a mine on my hardware.

Running web-based mining is even worse, because you're using a general purpose CPU instead of a GPU optimized for floating point calculations.  So you spend even more energy you don't notice.  And hey, if we stop doing Bitcoin maybe gamers can actually buy a decent graphics card?

I'd heard it was becoming an issue getting the higher end cards because various cryptocurrencies are to that point. And it's why there's an effort towards the "in your browser" mining, given the potential of massive amounts of otherwise underused computing power, even on non-optimized processors.

I'm currently just running uBlock Origin, which blocks most trackers and ads with the default lists, and Decentraleyes.  Decentraleyes keeps cached copies of web libraries, so CDNs can't track which websites you visit that way.  This also speeds loading of JS-heavy sites. And protect against the CDN getting hacked, but that's mainly paranoia.  Paranoia seems to be prudent these days.

I've been using uBlock Origin since after AdBlock Plus started allowed ads (even vetted, I have issues with that), and switched to uBlock Matrix when NoScript wasn't quite ready on the Firefox architecture changeover.

[LynnInDenver]

https://www.computerworld.com/article/32...fixes.html

So, um, now what?

(My next computer will probably be running an AMD at the rate this is going.)

[robkelk]

Please note that the list I provided in the original post in this thread did not include "flash your BIOS".

[LynnInDenver]

Please note that the list I provided in the original post in this thread did not include "flash your BIOS".

To be fair, that recommendation has been coming from other sources. And the results have been, again, showing one of the reasons getting people to patch religiously is difficult, and that's the problem of patches badly breaking things that were working just fine before patching.

Do note that we have two computers in the house that do NOT get patches... but that's in part because the decision was made that those computers also don't get to partake in our network, as their purpose in the house doesn't require any sort of network connection. And since they're turned on only a couple of times a month, at the most, it's easier to deal with if we don't have to remember to go down and turn them on for Patch Tuesday.

[Morganite]

Looks like the newest Firefox 52 ESR release has the anti-spectre stuff in it.

-Morgan.