cspan37421
01-18-2018, 02:24 PM
Just curious what those here familiar with these CPU security flaws think of the whole mess. Here's
I. a quick summary of my understanding,
II. how I think it may affect me, and
III. what I am doing or plan to do.
I.
The Project Zero post:
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
and the linked PDFs to the original research papers are worth reviewing if you have the expertise or interest in a particular facet. For instance, an early report suggested 32-bit OS were not affected, but I found nothing in the papers that indicated 32-bit OS was in the clear.
Meltdown - Intel only. Affects virtually all modern Intel processors.
Spectre - all Intel plus most AMD. Affects virtually all modern processors. Spectre is considered harder to exploit.
Severity: it is said that this is major - monumental - for cloud providers. Less so for individual PCs (but not zero). And what's more, that doesn't mean individual USERS are in the clear. There's quite a bit of data on all of us that is in "the cloud". For the most part, we didn't put it there, but apparently, entities with which we do business, did.
II.
I've got an oddball array of machines, most old (simply because, they continue to be good enough).
7+ yr old Dell Desktop: runs Win7, 64-bit. Has an AMD Phenom II x6 processor. At the time of purchase, that was a very zippy processor, and has aged well for my use case.
5+ yr old Dell Laptop: runs Raspberry Pi Desktop (RPD, which is a lightweight version of Debian, in a Raspbian wrapper). Has an Intel Celeron B820 processor, from the Sandy Bridge family of processors. Originally this Dell laptop came with Ubuntu, but subsequent OS updates all but bricked the system due to their increasing demands on the Dell's meager hardware. When Raspbian was, in essence, ported to x86 architecture, so I decided to give it a try on this old machine, and indeed, it brought it back to being responsive and usable.
8006
1+ yr old Raspberry Pi 3: don't laugh, this is my only computer that isn't vulnerable to Meltdown or Spectre (Eben Upton has a long post about why the Pi is not vulnerable - as well as insights as to how this whole mess came about - here (https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/)). Runs Raspbian on a Broadcom 64-bit ARMv7 quad-core processor. (note, however, Raspbian is a 32-bit OS).
I'm unaware of any commercially-produced personal computers for sale right now (save for the Pi) that aren't vulnerable to these chip-level risks.
III.
w/r/t my Dell desktop, Dell seems to be rolling out BIOS fixes for machines they've sold. Unsurprisingly, they've not gotten to my machine yet, though they're close. This is just step one of a 3-pronged approach they're recommending: 1) BIOS update, 2) OS patch, 3) application (browser, etc) update.
The OS patch for my Win7 machine was supposedly available at Microsoft, but I think they've taken it down because of the bricking (soft or hard) on AMD systems. When I tried to download it to just save it for later, I got this message in Firefox, which I thought ironic:
8004
On my Dell laptop, which has an Intel processor, I've not done anything yet, other than update RPD via apt-get. I thought I read that Debian had issued patches, but I'm not sure. Dell also hasn't gotten to the BIOS patch for that machine either.
The Pi3 hums along. Actually it doesn't ... no cooling fan.
Thus far, the cure seems to be worse than the disease, for individual users. I think I'm going to wait until there's an exploit in the wild before I really worry too much. I'd also like to wait until these patches are more vetted, and there's widespread agreement on how to proceed. Again, this is all in the context of an individual PC. I'm not running any servers or VMs, which is where the major risk is, from what I understand. It's also where the big performance hits are occurring, after patching.
I've read that there are more vulnerabilities like this coming. Seems to me if you were a nerd version of a prepper, you'd want something like a Raspberry Pi as your "SHTF" computer.
8005
If I had to use it as my only PC, it would work for nearly everything I currently do. I've checked.
Keep external copies of your data, and hopefully there will always be something you can safely use to access it.
PS: It's my understanding that Mac OS is affected too.
I. a quick summary of my understanding,
II. how I think it may affect me, and
III. what I am doing or plan to do.
I.
The Project Zero post:
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
and the linked PDFs to the original research papers are worth reviewing if you have the expertise or interest in a particular facet. For instance, an early report suggested 32-bit OS were not affected, but I found nothing in the papers that indicated 32-bit OS was in the clear.
Meltdown - Intel only. Affects virtually all modern Intel processors.
Spectre - all Intel plus most AMD. Affects virtually all modern processors. Spectre is considered harder to exploit.
Severity: it is said that this is major - monumental - for cloud providers. Less so for individual PCs (but not zero). And what's more, that doesn't mean individual USERS are in the clear. There's quite a bit of data on all of us that is in "the cloud". For the most part, we didn't put it there, but apparently, entities with which we do business, did.
II.
I've got an oddball array of machines, most old (simply because, they continue to be good enough).
7+ yr old Dell Desktop: runs Win7, 64-bit. Has an AMD Phenom II x6 processor. At the time of purchase, that was a very zippy processor, and has aged well for my use case.
5+ yr old Dell Laptop: runs Raspberry Pi Desktop (RPD, which is a lightweight version of Debian, in a Raspbian wrapper). Has an Intel Celeron B820 processor, from the Sandy Bridge family of processors. Originally this Dell laptop came with Ubuntu, but subsequent OS updates all but bricked the system due to their increasing demands on the Dell's meager hardware. When Raspbian was, in essence, ported to x86 architecture, so I decided to give it a try on this old machine, and indeed, it brought it back to being responsive and usable.
8006
1+ yr old Raspberry Pi 3: don't laugh, this is my only computer that isn't vulnerable to Meltdown or Spectre (Eben Upton has a long post about why the Pi is not vulnerable - as well as insights as to how this whole mess came about - here (https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/)). Runs Raspbian on a Broadcom 64-bit ARMv7 quad-core processor. (note, however, Raspbian is a 32-bit OS).
I'm unaware of any commercially-produced personal computers for sale right now (save for the Pi) that aren't vulnerable to these chip-level risks.
III.
w/r/t my Dell desktop, Dell seems to be rolling out BIOS fixes for machines they've sold. Unsurprisingly, they've not gotten to my machine yet, though they're close. This is just step one of a 3-pronged approach they're recommending: 1) BIOS update, 2) OS patch, 3) application (browser, etc) update.
The OS patch for my Win7 machine was supposedly available at Microsoft, but I think they've taken it down because of the bricking (soft or hard) on AMD systems. When I tried to download it to just save it for later, I got this message in Firefox, which I thought ironic:
8004
On my Dell laptop, which has an Intel processor, I've not done anything yet, other than update RPD via apt-get. I thought I read that Debian had issued patches, but I'm not sure. Dell also hasn't gotten to the BIOS patch for that machine either.
The Pi3 hums along. Actually it doesn't ... no cooling fan.
Thus far, the cure seems to be worse than the disease, for individual users. I think I'm going to wait until there's an exploit in the wild before I really worry too much. I'd also like to wait until these patches are more vetted, and there's widespread agreement on how to proceed. Again, this is all in the context of an individual PC. I'm not running any servers or VMs, which is where the major risk is, from what I understand. It's also where the big performance hits are occurring, after patching.
I've read that there are more vulnerabilities like this coming. Seems to me if you were a nerd version of a prepper, you'd want something like a Raspberry Pi as your "SHTF" computer.
8005
If I had to use it as my only PC, it would work for nearly everything I currently do. I've checked.
Keep external copies of your data, and hopefully there will always be something you can safely use to access it.
PS: It's my understanding that Mac OS is affected too.