'Next Generation' Flaws Found on Computer Processors (reuters.com) 40
An anonymous reader shares a report: Researchers have found eight new flaws in computer central processing units that resemble the Meltdown and Spectre bugs revealed in January, a German computing magazine reported on Thursday. The magazine, called c't, said it was aware of Intel's plans to patch the flaws, adding that some chips designed by ARM Holdings, a unit of Japan's Softbank, might be affected, while work was continuing to establish whether Advanced Micro Devices chips were vulnerable. Meltdown and Spectre bugs could reveal the contents of a computer's central processing unit -- designed to be a secure inner sanctum -- either by bypassing hardware barriers or by tricking applications into giving up secret information.
Nothing will ever be 100% secure, so just give up.
I think the point FudRucker is making that there is no point in buying high-end stuff at premium prices when a year or two down the line you will have to apply crippleware patches to secure it - and reduce it to half the original performance; if you buy yesterday's tech, you could get the same cripplewared performance at a fraction of the price.
That's why you release new OS's and software that *only* work with "new generation" hardware while promulgating new web standards that embrace "new generation" hardware-specific standards but are incompatible with the old.
you will have to apply crippleware patches to secure it - and reduce it to half the original performance
That "reduced performance" is actually the performance you should have had all along.
The problem is, Intel tried to cheat. "Speculative execution" is just a marketing gimmick created so they could claim that their chips were faster than the competition. And when one company cheats, and gets away with it, everyone else has to cheat too, in order to stay competitive. So now we're stuck with hundreds of millions of CPUs with design flaws.
Z80 is 100% immune. Time to dust off the old TRS-80.
Good luck. From understanding the flaw, finding a solution, testing for unintended consequences, creating a new mask with the changes to fabrication....probably a year wait or longer.
Best we can hope for is a microcode update that doesn't leave much of a performance hit.
Except they won't. At least not till quantum computers actually become usable by the regular consumer. Until then all processors will be vulnerable to some extent to SPECTRE class attacks(not however meltdown, that was purely Intel's fuckup) because you lose way too much performance dropping speculative execution entirely. There will merely be mitigation in place to make exploiting such attacks as difficult as possible.
More of an issue now (Score:5, Insightful)
We're also running programs written in C and connecting them to the internet
... we don't need javascript to be wide open.
This is why I have been saying for years Javascript as GOT to go. It was made in an age when the biggest threat was infected floppy discs and since then its been band aids on bullet wounds. You shouldn't be running complex code off of third party sites that have had ZERO vetting and with JS and ads these days? Hell malware authors couldn't have designed a better delivery system if they tried!
Direct article link (Score:3)
here [heise.de] (German)
And here in English also [heise.de].
Next generation (Score:5, Insightful)
Reserving CVE numbers is a meta-security hole. (Score:2)
The process of reserving CVE numbers clearly discloses timing of discovery of vulnerabilities. The CVE numbering authority should close that potential security hole.
Likely Variants on Spectre (Score:2)
It is likely that there are other bugs related to speculative execution that can leak data. For example, you could have code that leaks data through timing instead of through direct cache impact. You measure the number of cycles after writing clever code that consumes one more or less based on a bit of restricted data.