Design blunder exists in Intel, AMD, Arm, Power processors A incredibly well polished video lightly outlining the flaw, produced by Red Hat, can be found below... youtu.be/Uv6lDgcUAC0
theregister.co.uk/2018/05/21/spectre_meltdown_v4_microsoft_google/ >The fourth variant can be potentially exploited by script files running within a program – such as JavaScript on a webpage in a browser tab – to lift sensitive information out of other parts of the application – such as personal details from another tab. DISABLE THE JAVASCRIPT BOYS, THE FREETARDS WERE RIGHT ONCE AGAIN. Side-Channel Vulnerability Variants 3a and 4: us-cert.gov/ncas/alerts/TA18-141A >Variant 3a: Rogue System Register Read – CVE-2018-3640 >Variant 4: Speculative Store Bypass – CVE-2018-3639 Redhat: Speculative Store Bypass explained: what it is, how it works
This is getting out of hand! Now there are 4 of them! RISC-V, POWER8/9 and OpenRISC CPUs when?
>DISABLE THE JAVASCRIPT BOYS It's off by default. Only enable it on sites I trust and only the portion that is needed.
Liam Cook
>theregister Any actually competent source on this?
Lincoln Powell
Yeah, theregister
Nicholas Watson
it's all over the internet you idiot. this is the gift that keep on giving.
Josiah Smith
Ok, but hasn't all the meltdown-spectre shit been patched already?
Blake James
If it's spectre ng it's been public since May 5th.
Luis Brooks
since its a design flaw it cant really be patched out and many people dont update because they are A dumb as hell or B tinfoil hatters
Just treat everything with a net connection as 100% insecure and your alright.
Lucas Russell
Why aren't there computers that encrypt absolutely everything when they're turned off? Regardless of whats on them, if they couldnt be opened without your consent they could never persecute anyway. If everyone owned a machine like that theyd probably try to outlaw them with national security as an excuse. But it would be a good way to expose the government's bullshit.
Can't those just be bypassed by the intel management engine and other hardware exploits? I'm talking about a machine that encrypts at the hardware level and unencrypts the operating system, bios etc on each start.
OEMs and Microsoft would just use it to lock down their chink shit systems even more.
The Intel ME is fully capable of stealing the private key used to encrypt the disk drive once it has been loaded into memory, but I doubt that the Intel ME actively stores the key without prior instruction to do so. Without the key available the data is worthless until the user provides the encryption key / passphrase.
That said, if I was the NSA / CIA, it would be much easier to threaten to ship the neckbeard to Gitmo or torture them a bit if I really needed the data on the drive. No need to spend millions developing a complex module for the Intel ME that actively searched for and copied FDE encryption information or something.
Isaac Harris
How?
If microsoft locked down their systems they would just alienate any consumers who bought into privacy, as well as making them look anti privacy until they adopted the same practices. I mean even if microsoft made it impossible to run their OS on crypt systems, someone else would have the opportunity to fill the gaps. Especially since we already have many years of old microsoft products that aren't locked down that are still usable.
most mobile devices are locked so that you cant install your own os on them and most people have no problems with that.
Jose Perez
Google, Facebook, Microsoft with Windows 7 / 8 / 10, etc. have shown us that consumers are 100% willing to trade away their privacy for cheap or freely.
They only give a shit when the data makes the news because of some scandal or information theft.
And even a hardware level encryption device isn't entirely secure. Why not just infect your machine with a driver backdoor / OS exploit / other zero day once you are booted into your operating system and the data is decrypted on the fly as needed? That bypasses your encryption entirely.
FDE is primarily used by businesses that have a regulatory need to protect themselves from liability (e.g., if an employee laptop with access to customer data is stolen, we can definitively claim that the stolen hard disk drive is inaccessible because the computer was powered off at the time of the theft and the person who stole it has a virtually zero chance of decrypting the AES256 or whatever that was encrypting the drive).
Henry Martin
Install hardened gentoo and you wouldn't have this problem.
The analogy stopped mid way. In the restaurant whats the equivalent of the hacker overseeing and stealing orders?
Christopher Myers
Most of those consumers never even used or understood tge internet til the late 2007s anyway. The people who have always been around do care, and a lot of that is evident in the almost daily threads here concerning privacy. Younger people want to know about it too, and almost nobody actively wants their data collected or to be spied on. In the case of using google, there aren't alternatives to google services that don't do the same thing outside of maybe email providers like protonmail. There are no tracking free social media or chat platforms that aren't trying to mine your data.
In the case of a driver, OS etc exploit I'm confused how that would work with what i'm suggesting, though my knowledge is limited. If the processor, ram, etc is made to encrypt everything from boot to shut off, how will a backdoor manage to keep its information decrypted? Where will it be stored if the ram and processor cache is flushed? Unless your hardware peripherals themselves had memory to store something wouldnt you just have a decrypted key that was stored in a once again encrypted system? Or are you saying the government will just use it to decrypt you without your consent since they have it saved.
Ayden Torres
Aren't there like a million custom roms though? I'm running one right now on my phone even. They're offshoots of android I suppose. Is there a measure to prevent someone from building their own OS apart from time?