May wanna short Intel for a minute. (SPECTER / MELTDOWN BUGS)

[sonatine]

In June, Google's red team discovered a bug (SPECTER/MELTDOWN) in pretty much every CPU on the market that allows an unprivileged user who can run code to read privileged memory locations.

Meaning if you have an AWS cloud VM, you can log into it, run an exploit, and grab the contents of the host system's memory. These contents would likely include things like root passwords, any information received by a webserver, any information sent by a webserver, any tables recently accessed in a database, so on, so on.

Tl;dr there is no real computer security at the moment.

Without getting too technical, there is a function in CPUs (speculative execution) that make it 'assume' an execution path is being requested, and it can be tricked into doing ugly shit as described above. Now, for two days or so, a ton of software patches have been getting released and everyone is patting each other on the back and talking about what a great job everyone did at dealing with this.

Fun facts:

- The patches are garbage and the performance hits are fucking severe.
- Many of the patches are BSOD'ing windows boxes for example because they were embargoed but released early because SHTF.
- The patches are a fucking joke because apparently there is like a thousand issues related to this that arent getting a software patch and remain exploitable.

The only way this gets patched, is by physically swapping out the fucking CPU for a model that has that entire speculative execution shit fixed.

The CEO of Intel just sold every single share he held, keeping only the mandatory minimum he's contractually obligated to hold. Seriously.

Its going to be baaaaaad. Virtually every fucking chip that runs suffers from the issue. Its going to be a legal bloodbathalanche.

[Mintjewlips]

Chaos is a ladder.......

[Belly Buster]

If the only real fix is to buy new chips, you might want to go long on Intel as the sales surge will outstrip any lawsuits that might hit.

Oh, and for those of us with long memories ... http://www.techradar.com/news/comput...-world-1270773

[sonatine]

If the only real fix is to buy new chips, you might want to go long on Intel as the sales surge will outstrip any lawsuits that might hit.

Oh, and for those of us with long memories ... http://www.techradar.com/news/comput...-world-1270773

I wondered about this as well but then I read about the CEO cashing out and felt he probably knows better than I do.

[Deal]

Agree, the software updates being released can only disable usage of features that could be exploited. Features that enhance performance. So they are issuing updates to cripple their software to ensure performance features aren't being used. What a cluster fuck. Make sure your next computer has AMD Inside.

[sonatine]

Agree, the software updates being released can only disable usage of features that could be exploited. Features that enhance performance. So they are issuing updates to cripple their software to ensure performance features aren't being used. What a cluster fuck. Make sure your next computer has AMD Inside.

AMD vulnerable as well. Basically everyone has AIDS. Everyone.

Its something that goes back to the fundaments of x86 code execution, its just totally burnt in.

And now that we have opened this Pandoras box, we can expect a lot of very serious discussion about a lot of other shit thats gotta go but is going to break exactly everything.

[Dan Druff]

Since closing the vulnerability will reportedly cause a major performance hit, and since attacking this vulnerability is not trivial, it's probably better NOT to patch this, unless you're on a computer likely to be attacked (such as a government or corporate system).

One commonly misunderstood aspect of cybersecurity involves targeting. The average computer user pictures Russian hackers looking to get into his e-mail, read his sensitive personal thoughts, and then later hack his bank account information and drain all of his money.

That's not how it happens in reality. Sophisticated hacker outfits are interested in high-value targets and/or mass data accumulation. They don't care about the content of your personal e-mail, nor will a human being ever read it. They aren't going to after your specific bank account or credit card. They might sell your personal info on the black market, but that's about it. It is too difficult to commit credit card or bank fraud en masse against thousands or millions of victims.

Bottom line is that, even if your device is highly vulnerable, you are unlikely to be attacked by any sophisticated hacker outfit, and if you are, you're not likely to see any kind of consequence from it.

For just about everyone reading this site, I would suggest NO action at this time.

[simpdog]

Druff what if someone hacks PFA

[Gordman]

Yup, AMD was the first stock I thought of when I saw this news break; i was like, surely this is going to at least spike in the short term...



That aside, im skeptical that INTC will surge from this situation. Im not an expert and all, but aside from the massive lawsuits that are likely to manifest, aren't they going to be responsible for replacing the chips? Im actually asking because i really dont know. I think about all of the recalls out there in the corporate world and how the companies are responsible for the repairs...wouldnt this happen with Intel?

Im also thinking about the factor that INTC could lose some consumer confidence vs other players like AMD?

[Dan Druff]

Druff what if someone hacks PFA

Already happened.

Russians hacked PFA through a vulnerability in the vBulletin software, and installed a nasty backdoor which basically gave them root access. They used it to send out spam e-mail. I thought I closed it in 2014, especially because it didn't recur. Then it turned out that the backdoor still existed, and I only removed what they had done with it (I didn't realize they accomplished it with the backdoor webshell in the first place).

In January 2017, they utilized it again, spamming more e-mail from PFA. That time I looked into it more deeply, found the webshell, and wiped it out.

There have been no further incidents since, and I believe the vulnerability in the software is also closed now.

While the Russians could have accessed user data, they were not interested in that. They only wanted the server for sending spam.

[Dan Druff]

It is a good question whether the provider I'm leasing PFA from is going to take action, though. It's a very large provider, and obviously a performance hit would be shitty if that were to occur.

[Crowe Diddly]

Google claims they found a solution with only minimal performance slowdown issues.

https://www.theverge.com/2018/1/4/16...mance-slowdown

[Dan Druff]

Google claims they found a solution with only minimal performance slowdown issues.

https://www.theverge.com/2018/1/4/16...mance-slowdown

Unless minimal = not noticeable, I will take my chances.

[hongkonger]

Since closing the vulnerability will reportedly cause a major performance hit, and since attacking this vulnerability is not trivial, it's probably better NOT to patch this, unless you're on a computer likely to be attacked (such as a government or corporate system).

One commonly misunderstood aspect of cybersecurity involves targeting. The average computer user pictures Russian hackers looking to get into his e-mail, read his sensitive personal thoughts, and then later hack his bank account information and drain all of his money.

That's not how it happens in reality. Sophisticated hacker outfits are interested in high-value targets and/or mass data accumulation. They don't care about the content of your personal e-mail, nor will a human being ever read it. They aren't going to after your specific bank account or credit card. They might sell your personal info on the black market, but that's about it. It is too difficult to commit credit card or bank fraud en masse against thousands or millions of victims.

Bottom line is that, even if your device is highly vulnerable, you are unlikely to be attacked by any sophisticated hacker outfit, and if you are, you're not likely to see any kind of consequence from it.

For just about everyone reading this site, I would suggest NO action at this time.

This is what I thought as well, and I don't store anything on the cloud.

[sonatine]

Since closing the vulnerability will reportedly cause a major performance hit, and since attacking this vulnerability is not trivial, it's probably better NOT to patch this, unless you're on a computer likely to be attacked (such as a government or corporate system).

One commonly misunderstood aspect of cybersecurity involves targeting. The average computer user pictures Russian hackers looking to get into his e-mail, read his sensitive personal thoughts, and then later hack his bank account information and drain all of his money.

That's not how it happens in reality. Sophisticated hacker outfits are interested in high-value targets and/or mass data accumulation. They don't care about the content of your personal e-mail, nor will a human being ever read it. They aren't going to after your specific bank account or credit card. They might sell your personal info on the black market, but that's about it. It is too difficult to commit credit card or bank fraud en masse against thousands or millions of victims.

Bottom line is that, even if your device is highly vulnerable, you are unlikely to be attacked by any sophisticated hacker outfit, and if you are, you're not likely to see any kind of consequence from it.

For just about everyone reading this site, I would suggest NO action at this time.

It affects iPhones and I believe Android as well, although I believe both have had patches pushed. In any case, I do not believe anyone will be able to opt out of whatever patches end up getting pushed to their OS's.


Also everything else you said is wrong but I'm not going to get into it unless you consider anything less than state-sponsored APT to be unsophisticated I guess.

[Dan Druff]

Since closing the vulnerability will reportedly cause a major performance hit, and since attacking this vulnerability is not trivial, it's probably better NOT to patch this, unless you're on a computer likely to be attacked (such as a government or corporate system).

One commonly misunderstood aspect of cybersecurity involves targeting. The average computer user pictures Russian hackers looking to get into his e-mail, read his sensitive personal thoughts, and then later hack his bank account information and drain all of his money.

That's not how it happens in reality. Sophisticated hacker outfits are interested in high-value targets and/or mass data accumulation. They don't care about the content of your personal e-mail, nor will a human being ever read it. They aren't going to after your specific bank account or credit card. They might sell your personal info on the black market, but that's about it. It is too difficult to commit credit card or bank fraud en masse against thousands or millions of victims.

Bottom line is that, even if your device is highly vulnerable, you are unlikely to be attacked by any sophisticated hacker outfit, and if you are, you're not likely to see any kind of consequence from it.

For just about everyone reading this site, I would suggest NO action at this time.

It affects iPhones and I believe Android as well, although I believe both have had patches pushed. In any case, I do not believe anyone will be able to opt out of whatever patches end up getting pushed to their OS's.


Also everything else you said is wrong but I'm not going to get into it unless you consider anything less than state-sponsored APT to be unsophisticated I guess.

You are correct that people aren't going to have a choice if these are patches pushed into their phones. I don't accept new iOS versions anyway, so it won't matter for me. But yes, for everyone else, it might be good to ignore the new OS versions being pushed if they don't want this update.

You claimed everything else I said is wrong. Really? You mention state-sponsored APT (advanced persistent threats, for those who are wondering). Do you really think Joe iPhone User is going to suffer from such a thing, even if his device is compromised?

I would like to hear how you feel that would affect Joe iPhone User, and how slowing his device to a crawl is a worthy exchange in order to prevent it.

People fear hackers because they picture these hackers wreaking havoc upon their lives. But that's rarely the case for most people who are victims of a mass hacking. I would like for you to point out one massive hack in recent times where the typical user was adversely affected, aside from the aftermath of having their account numbers force-changed by the bank, etc.

[sonatine]

It affects iPhones and I believe Android as well, although I believe both have had patches pushed. In any case, I do not believe anyone will be able to opt out of whatever patches end up getting pushed to their OS's.


Also everything else you said is wrong but I'm not going to get into it unless you consider anything less than state-sponsored APT to be unsophisticated I guess.

You are correct that people aren't going to have a choice if these are patches pushed into their phones. I don't accept new iOS versions anyway, so it won't matter for me. But yes, for everyone else, it might be good to ignore the new OS versions being pushed if they don't want this update.

You claimed everything else I said is wrong. Really? You mention state-sponsored APT (advanced persistent threats, for those who are wondering). Do you really think Joe iPhone User is going to suffer from such a thing, even if his device is compromised?

I would like to hear how you feel that would affect Joe iPhone User, and how slowing his device to a crawl is a worthy exchange in order to prevent it.

People fear hackers because they picture these hackers wreaking havoc upon their lives. But that's rarely the case for most people who are victims of a mass hacking. I would like for you to point out one massive hack in recent times where the typical user was adversely affected, aside from the aftermath of having their account numbers force-changed by the bank, etc.

ransomware was something like the #1 most popular malware being spread in 2017, so i mean, right out the gate...

[DRK Star]

[sonatine]

cute story but thats not how backdoors get added, its never some random electrical-engineer employee's job to 'add a backdoor'.



note that im not saying the ME isnt backdoored, or that it cant be accessed Out of Band when a machine is hibernating via anything from bluetooth to the speakers themselves, im just saying that this shitmeme is sloppy work.

[OSA]

Better check on that Fox News Notification