'WHAT THE F*CK IS GOING ON?' Linus Torvalds explodes at Intel spinning Spectre fix as a security feature Intel's fix for Spectre variant 2 – the branch target injection design flaw affecting most of its processor chips – is not to fix it. Rather than preventing abuse of processor branch prediction by disabling the capability and incurring a performance hit, Chipzilla's future chips – at least for a few years until …
Until Intel get their act together and release stable fixes, I have disabled Windows Update on my home systems (neither Meltdown or Spectre is much of a threat to a home user). It is in my opinion safer to use a slightly out of date Windows 10 installation than an unstable one. (Edge / IE are not a problem on my system as they are disabled with the Norton firewall denying them internet access so their myriad of bugs do not matter.)
Well in line with US Corporate (Blame the victim for our incompetence) culture. *
*More like what you find growing on cheese that's been in the fridge for a few months after its sell by date than artistic and social refinement.
@ John Smith 19
Exactly, Intel is hoping that by giving consumers a "choice" they'll mitigate their liability. Intel f@#$ed up and this is not a real fix. In fact, it may create problems for less technical users.
This does make me wonder if the three letter agencies didn't request a "fix" like this whether they'd already been using this method to spy on people or just want to now.
I have AMD and I had to install Windows 10 update kb4073290 to get windows 10 stable again. Since I am using Windows 10 Home I don't have the option of disabling the updates.
My AMD computer was not in unbootable state but was showing signs of unstably with at least one random reboot. Random reboot should not happen under any circumstances.
https://support.microsoft.com/en-us/help/4073290/unbootable-state-for-amd-devices-in-windows-10-version-1709
> Since I am using Windows 10 Home I don't have the option of disabling the updates.
Yes you do.
There are registry keys that can be changed and services that can be disabled to accomplish this.
There are even 3rd party programs, like ShutUp10, that give you a simple slider switch to disable/enable these features without having to go into the registry or services control panel.
"Can't you add..."
(a) No, because that's not the host name used for Windows Update
(b) No, because Windows has a hard coded list of locations including IP addresses to ensure malware can't so easily stop updates & to prevent hijacking that it uses as well as looking things up
'Random reboot should not happen under any circumstances.' - incorrect, unless you are using ECC registered memory then your computer is susceptible to data corruption from outside sources such as solar flares. Some articles have reported that with 4GB memory you are likely to have at least 1 bit error every 48 hours, whereas with ECC registered memory it's more like 2.7 million years.
Random reboots can also be the result of poor code, especially drivers, though you would expect windows to highlight this in this case.
> neither Meltdown or Spectre is much of a threat to a home user
I hope you've updated your browser at least because Meltdown and/or Spectre can be used from Javascript. Firefox 57.0.4 should be safe; they've reduced the granularity of the high precision timers. Not quite a fix, but from a browser's standpoint that's really all they can do.
No idea about Chrome, and even less about IE.
You hope they updated? Who do you think they are James Bond? Most of us have nothing on our systems but data anyone can access on the Internet anyways. It is not like you're going to get the launch codes out of my PC, that's for sure. For the processing power it'd take to gain any worthwhile data out of Spectre or Meltdown you might as well just mine for bitcoins. You'd be ahead of the game. At least with mining you know there's some value in it eventually. On my PC right now you'd just be reading this stupid comment I'm posting. Big whoop de do. Random cache data is low grade ore. It's not worth digging into. Not unless you're focused on a valuable target at least. Which most of us just aren't.
@paulfederick
Indeed you are correct.I'm avoiding these updates and there is nothing on my home PC of any interest anyway. Anyone wants to take a look, be my guest but you'll be bored after 5 minutes. And what is the likelihood of a successful Spectre attack by browser? Seriously, I'm not running a VM farm, I don't give a shit about this and any of my own personal kit.
There will always be the prissy individuals that are frightened of everything and can't think for themselves though.
> Indeed you are correct.I'm avoiding these updates and there is nothing on my home PC of any interest anyway.
So you never, for example, do Internet Banking? Or send of any kind of identifying documentation?
The odds of getting caught by it are very, very slim (at least at the moment), but it's very, very easy to underestimate the value of the stuff we actually use our machines for.
Not updating because you think there's nothing of value on your machine is naive. Base your decision on an actual assessment of the risk vs the trade-offs, not on the perceived value of the data on your system,
Just my 2p
So you never, for example, do Internet Banking? Or send of any kind of identifying documentation?
Nope.
@Tom7 Nothing sinister has appeared on my PC in decades.
Plenty of interesting stuff though, isn't that the point?
==
Mr Krebs says it best, YOU thinking your PC is not 'interesting' doesn't mean it isn't of interest
https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
At last! someone who never does internet banking nor has any interaction with any site that talks to any government or financial body at any time over the internet.
I hope that you havnt browsed to any site that saves your credit card details. Amazon for example are really bad at doing that.
Luckily for you, not doing that means that there is no chance that some future malware delivered from a botnet constructed of 2 year old unpatched home wifi routers abandoned by the manufacturer wont be able to use meltdown to grab the SSL keys and cookie details for your active Amazon connection, then instruct amazon via that authorised and established connection to add a new delivery address, change your password, issue wipe commands to any kindle fire tablet you have, deauthorise any other devices that may allow account recovery, grab details of any other connected accounts while at the same time ordering 1000's of (insert currency here) Amazon voucher codes/cards plus a new PC or two to be delivered to the newly added delivery address before thay get put on ebay or that dogdy amazon card site.
Honestly. People using the internet to buy stuff and manage their accounts was allways a stupid idea. Luckily for you you dont need to patch your machine because you dont do that.
manufacturer wont be able to use meltdown to grab the SSL keys and cookie details for your active Amazon connection, then instruct amazon via that authorised and established connection to add a new delivery address
This is actually one thing Amazon do not too badly. You cannot get your stored credit card details back off Amazon, and attempting to enter a new delivery address requires re-confirming your payment details. Of course, compromise the connection and you can pretend to be Amazon, requesting confirmation of payment details...
"Seriously, I'm not running a VM farm, I don't give a shit about this and any of my own personal kit."
I'm in the same boat as far as my desktop box goes, but I do give a bit of a shit because quite frankly having a machine go tits up on you costs time and effort to resolve... I have found that prevention is better than a cure - simply because it wastes less time.
"It's not worth digging into. Not unless you're focused on a valuable target at least. Which most of us just aren't."
So you dont have any internet banking on your machine. Good. You also dont have any mortgage details or scans of ID documents. You also are not going to be editing a selfie with your bank card details visible at any time, I take it you are careful enough to not leave such cards lying on a surface where they may be photographed by accident.
I also assume you have no kids that may be using a computer with a built in webcam?
Everyone is a valuable target for someone. Just because you dont think of attacking someones PC for their data or CPU cycles dont think that someone you dont know and will never meet thinks the same as you. Of all the billions of humans out there someone will want your data or your PC, for money or whatnot. Sure they will prefer the easy targets. Dont be an easy target.
Thanks to meltdown, unpatched you are basically running naked across the internet showing off all your SSL secret keys. Once someone catches a glimpse of your nude SSL secrets they can impersonate those sites. Once you think you are talking to facebook and not them I'm sure they will have plenty of nice little downloadable packages that they can give you.
Ever heard of firesheep? It was a very usefull firefox plugin. It was quite popular amongs starbuck wifi users ;)
"...
>> neither Meltdown or Spectre is much of a threat to a home user
> No idea about Chrome, and even less about IE.
..."
Chrome 63 added a test feature one needs to turn on called Strict Site Isolation (https://support.google.com/chrome/answer/7623121?hl=en), and Chrome 64 is going to address Meltdown/Spectre formally for all users, a version which should be released any second now... (they said the 23rd of January, which I note is today).
Firefox 57.0.4 should be safe; they've reduced the granularity of the high precision timers
Reducing the resolution of the high-precision timer, and disabling shared arrays, is mostly theater. There are many ways to get a sufficiently high-resolution timer in Javascript.
Note that in the original Spectre paper, the authors didn't bother to use the Javascript high-precision timer, because it was already disabled in Chrome. Door closed, horse bolted.
"Reducing the resolution of the high-precision timer"
Are you sure you mean what you've written?
Resolution and precision are separate concepts, and accuracy is yet another.
There are lots of places around the web where this distinction is discussed; go have a read and find a description that suits your needs (I'm not even going to try).
Or try talking to someone who understands the technology of measurement, e.g. someone who understands what might be going on when a digital frequency meter says the mains frequency is 55.000645 Hz. It's about time.
Are there any "security researchers" who even understand the distinction, let alone are capable of explaining why the distinction doesn't matter to their alleged "exploit"?
Updates for Microcode via Windows is for their hardware only - Surface etc. - they have rolled out the new code for those, but not sure they pushed them via Windows Update as yet.
BTW, IE and Edge both been patched to mitigate against the bugs, Chrome needs site isolation enabled (this may be default soon). Firefox - don't know - don't use it.
Win 7, NoScript, IE, Chrome, Firefox plus Voodoo Shield and killed the MS patch after it bogged the crap out of the PC. Since I don't "surf" but only hit trusted sites I'm not to concerned. The better half, I left the patch in place (along with the same config as mine). She doesn't mind the "hang" and maybe it will help her out. But then, she surfs like crazy.
I've got Linux ready to rock and roll once I can get one piece of software to work with it. Old software but I like it for work with a laser cutter.
"I don't "surf" but only hit trusted sites"
I thought "trusted" sites went out with the dodo. No site is trusted anymore, just more pouplar than others.
How many times have I read of a trusted site dishing out a drive by download due to a SQL injection attack that succeeded a few hours before. Sorry but the only trusted site on the internet is the one that is not returning anything but a blank page.
Unless your trusted sites are writen by yourself or your mates and are only accessible on an isolated intranet?
"(neither Meltdown or Spectre is much of a threat to a home user)"
Er, meltdown is certainly a serious threat. It basically blows open your entire systems memory map to any bit of javascript (as an example) that your browser cares to load.
You might as well run an unpacthed and unfirewaled version of windows XP and say you are just as secure.
Install the meltdown patch just to keep your SSL connections secure. Spectre wont be patched by a windows update. You have to patch your BIOS so you can just patch meltdown.
I am definitely a fan. How hard would it be for Linus to walk away from all of this and ignore the poison atmosphere and open up another beer? Somebody shouting like this cares a lot, and they're not passively going to let the hooting monkeys waving flaming tree branches in the front yard get away with poo-flinging shenanigans. I'm sorry but sometimes it does seem to me like threatening somebody's kids with a spanking is exactly what is needed.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
