Just curious what those here familiar with these CPU security flaws think of the whole mess. Here's

I. a quick summary of my understanding,
II. how I think it may affect me, and
III. what I am doing or plan to do.

I.

The Project Zero post:

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

and the linked PDFs to the original research papers are worth reviewing if you have the expertise or interest in a particular facet. For instance, an early report suggested 32-bit OS were not affected, but I found nothing in the papers that indicated 32-bit OS was in the clear.

Meltdown - Intel only. Affects virtually all modern Intel processors.
Spectre - all Intel plus most AMD. Affects virtually all modern processors. Spectre is considered harder to exploit.

Severity: it is said that this is major - monumental - for cloud providers. Less so for individual PCs (but not zero). And what's more, that doesn't mean individual USERS are in the clear. There's quite a bit of data on all of us that is in "the cloud". For the most part, we didn't put it there, but apparently, entities with which we do business, did.

II.

I've got an oddball array of machines, most old (simply because, they continue to be good enough).

7+ yr old Dell Desktop: runs Win7, 64-bit. Has an AMD Phenom II x6 processor. At the time of purchase, that was a very zippy processor, and has aged well for my use case.

5+ yr old Dell Laptop: runs Raspberry Pi Desktop (RPD, which is a lightweight version of Debian, in a Raspbian wrapper). Has an Intel Celeron B820 processor, from the Sandy Bridge family of processors. Originally this Dell laptop came with Ubuntu, but subsequent OS updates all but bricked the system due to their increasing demands on the Dell's meager hardware. When Raspbian was, in essence, ported to x86 architecture, so I decided to give it a try on this old machine, and indeed, it brought it back to being responsive and usable.

8006

1+ yr old Raspberry Pi 3: don't laugh, this is my only computer that isn't vulnerable to Meltdown or Spectre (Eben Upton has a long post about why the Pi is not vulnerable - as well as insights as to how this whole mess came about - here (https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/)). Runs Raspbian on a Broadcom 64-bit ARMv7 quad-core processor. (note, however, Raspbian is a 32-bit OS).

I'm unaware of any commercially-produced personal computers for sale right now (save for the Pi) that aren't vulnerable to these chip-level risks.

III.

w/r/t my Dell desktop, Dell seems to be rolling out BIOS fixes for machines they've sold. Unsurprisingly, they've not gotten to my machine yet, though they're close. This is just step one of a 3-pronged approach they're recommending: 1) BIOS update, 2) OS patch, 3) application (browser, etc) update.

The OS patch for my Win7 machine was supposedly available at Microsoft, but I think they've taken it down because of the bricking (soft or hard) on AMD systems. When I tried to download it to just save it for later, I got this message in Firefox, which I thought ironic:

8004

On my Dell laptop, which has an Intel processor, I've not done anything yet, other than update RPD via apt-get. I thought I read that Debian had issued patches, but I'm not sure. Dell also hasn't gotten to the BIOS patch for that machine either.

The Pi3 hums along. Actually it doesn't ... no cooling fan.

Thus far, the cure seems to be worse than the disease, for individual users. I think I'm going to wait until there's an exploit in the wild before I really worry too much. I'd also like to wait until these patches are more vetted, and there's widespread agreement on how to proceed. Again, this is all in the context of an individual PC. I'm not running any servers or VMs, which is where the major risk is, from what I understand. It's also where the big performance hits are occurring, after patching.

I've read that there are more vulnerabilities like this coming. Seems to me if you were a nerd version of a prepper, you'd want something like a Raspberry Pi as your "SHTF" computer.

8005

If I had to use it as my only PC, it would work for nearly everything I currently do. I've checked.

Keep external copies of your data, and hopefully there will always be something you can safely use to access it.

PS: It's my understanding that Mac OS is affected too.

You said it in your opener: whole mess.

My short answer if you use Windows is update your antivirus, update Windows and update your browsers.

If you use Chrome there is a tab sandbox you can enable.

Don’t save passwords in your browser, and pay attention where you surf the web.

The above is more personal/home advice than work.

If you compile code, you are likely to see an impact.
Intel advising 6-10% performance impact means if you use cloud, your costs could go up to account for the increase.

Most have been focused on the “pure compute” impact.
I am waiting to see the fallout in the network and storage industry.

Real world risk and impact aside, I am wondering when the legal circus will begin with Intel.

Based on my understanding of the difficulty of exploiting either issue leads me to believe individual users are at virtually no risk here as far as generic personal information (the level of effort to exploit these flaws against a random, average person is unlikely to yield a benefit worth the trouble especially when there are much easier ways with reasonably high success rates). High profile people in business in government or people who would be known to the attacker to have desireable information may be at risk of a targeted attack specifically against them, but that is only slightly more likely. Businesses and governments are the groups who need to be most concerned (of course, your personal information could be compromised from those sources, but there is nothing you can do on your own to prevent or mitigate that).

Of course, I still recommend applying any [working] fixes regardless, but as an individual there is probably not much reason to be concerned about your personal computers or devices being attacked.

Based on my understanding of the difficulty of exploiting either issue leads me to believe individual users are at virtually no risk here as far as generic personal information (the level of effort to exploit these flaws against a random, average person is unlikely to yield a benefit worth the trouble especially when there are much easier ways with reasonably high success rates). High profile people in business in government or people who would be known to the attacker to have desireable information may be at risk of a targeted attack specifically against them, but that is only slightly more likely. Businesses and governments are the groups who need to be most concerned (of course, your personal information could be compromised from those sources, but there is nothing you can do on your own to prevent or mitigate that).

Of course, I still recommend applying any [working] fixes regardless, but as an individual there is probably not much reason to be concerned about your personal computers or devices being attacked.

With respect, there are browser side javascript exploits published that make your personal PC and the information in your browser and PC vulnerable if unpatched.

I won’t argue difficulty, or whether or not there are easier ways, or if an individual is more likely to be targeted or not. Visiting the wrong website that has the right javascript malware is a risk.

It’s also early in the game for this exploit, given vendors are trying to patch a hardware flaw with software. The long term solution is for Intel to come up with a new x86 architecture without the speculative execution flaw.

This issue is a big deal for everyone, but it is a far bigger deal for cloud hosting companies.

Even though individually it would suck if the exploit were used against you, it's limited in damage to only you.

For cloud hosting companies a compromised host server, or compromised guest can lead to access to information and attacker shouldn't have. Why is this a bigger problem for hosting companies? I can go to Amazon, Microsoft, Google, IBM and create an account in their cloud and put whatever code I want onto their cloud and try and exploit their systems.

There are two different types of issues. One only affects Intel, but the other affects almost every major processor developed in the past 20 years. Now that the basic attack vector is understood, look for additional ways to expoilt the design flaw. What we've seen so far is only the tip of the iceberg. I'd like to say that Intel will lose a lot of money, but my guess is that within a year they release a line of chips that don't have and their profits and revenue will skyrocket.

Came in here thinking this was a thread about the key villains in the next Marvel movie. Carry on.

Came in here thinking this was a thread about the key villains in the next Marvel movie. Carry on.

IDK about Marvel, but one is def. a James Bond movie.

I was going to question fuse about pinning it entirely on speculative execution, in that it initially seemed to me that the real problem is having access to stuff in protected memory that s/n be accessed before process permissions/credentials are checked, but they may just be two sides of the same coin. It's really beyond my expertise. I'm merely a user that is trying to navigate these choppy waters.

It's interesting to me that smartphones are affected too. And it hasn't escaped me that in the reporting on this, and so many other computer attacks, the word "javascript" appears. Can't live with it, can't live without it?

This issue is a big deal for everyone, but it is a far bigger deal for cloud hosting companies.

Even though individually it would suck if the exploit were used against you, it's limited in damage to only you.

For cloud hosting companies a compromised host server, or compromised guest can lead to access to information and attacker shouldn't have. Why is this a bigger problem for hosting companies? I can go to Amazon, Microsoft, Google, IBM and create an account in their cloud and put whatever code I want onto their cloud and try and exploit their systems.

There are two different types of issues. One only affects Intel, but the other affects almost every major processor developed in the past 20 years. Now that the basic attack vector is understood, look for additional ways to expoilt the design flaw. What we've seen so far is only the tip of the iceberg. I'd like to say that Intel will lose a lot of money, but my guess is that within a year they release a line of chips that don't have and their profits and revenue will skyrocket.

I’ll be the first to say Intel is full of people way smarter than me. Replacing the x86 architecture in a year is wildly optimistic (I hope you are right!).

One alternative might be revisiting architectures that were abandoned. Itanium might be one such possibility, but given Oracle (former Sun) announced their Sparc line is also impacted, this may require an industry wide clean sheet of paper design.

IDK about Marvel, but one is def. a James Bond movie.

I was going to question fuse about pinning it entirely on speculative execution, in that it initially seemed to me that the real problem is having access to stuff in protected memory that s/n be accessed before process permissions/credentials are checked, but they may just be two sides of the same coin. It's really beyond my expertise. I'm merely a user that is trying to navigate these choppy waters.

It's interesting to me that smartphones are affected too. And it hasn't escaped me that in the reporting on this, and so many other computer attacks, the word "javascript" appears. Can't live with it, can't live without it?

You are on the right track. Exploiting the speculative execution is what enables nonprivileged access to memory, as best I understand it.

You are also spot on that almost anything with a processor could be vulnerable. It’s scary stuff that will have ongoing near and long term ripples in industry. If you believe every company is now a technology company, Meltdown and Spectre impacts everything.